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Abstract 

We advocate a declarative approach to proving properties of logic programs. Total cor- 
rectness can be separated into correctness, completeness and clean termination; the latter 
includes non-floundering. Only clean termination depends on the operational semantics, 
in particular on the selection rule. We show how to deal with correctness and completeness 
in a declarative way, treating programs only from the logical point of view. Specifications 
used in this approach are interpretations (or theories). We point out that specifications 
for correctness may differ from those for completeness, as usually there are answers which 
are neither considered erroneous nor required to be computed. 

We present proof methods for correctness and completeness for definite programs and 
generalize them to normal programs. For normal programs we use the 3- valued completion 
semantics; this is a standard semantics corresponding to negation as finite failure. The 
proof methods employ solely the classical 2- valued logic. We use a 2- valued characterization 
of the 3- valued completion semantics, which may be of separate interest. 

The method of proving correctness of definite programs is not new and can be traced 
back to the work of Clark in 1979. However a more complicated approach using opera- 
tional semantics was proposed by some authors. We show that it is not stronger than the 
declarative one, as far as properties of program answers are concerned. For a corresponding 
operational approach to normal programs, we show that it is (strictly) weaker than our 
method. We also employ the ideas of this work to generalize a known method of proving 
termination of normal programs. 

KEYWORDS: declarative programming, negation in logic programming, specifications, 
program correctness and completeness, termination, teaching logic programming 



1 Introduction 



This paper discusses reasoning about logic programs in terms of their declarative 
semantics. We view total correctness of programs as consisting of correctness, com- 
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pleteness and clean termination. Correctness (sometimes called partial correctness) 
means that any answer obtained from the program satisfies the specification. As 
logic programming is nondeterministic, one is interested in completeness, i.e. that 
all the results required by the specification are computed. Programs should also 
(cleanly) terminate — computations should be finite and without run-time errors, 
like floundering and arithmetical exceptions. 

Obviously, clean termination depends on the operational semantics, in particu- 
lar on the selection rule. However correctness and completeness do not; they are 
declarative properties. It is desirable that they could be dealt with in a declarative 
way, abstracting from any operational semantics and treating programs and their 
answers only from the logical point of view. Otherwise logic programming would not 
deserve to be considered a declarative programming paradigm. Declarative treat- 
ment of correctness and completeness makes it possible to separate reasoning about 
"logic" and "control" ; correctness and completeness are related to logic and clean 
termination to control. Changing the control component does not influence correct- 
ness and completeness. 

In this paper we show how to prove correctness and completeness declaratively. 
We discuss a known method of proving correctness of definite programs and in- 
troduce a method for proving completeness. Then we generalize both methods to 
programs with negation. As their declarative semantics we employ the 3- valued com- 
pletion semantics pumen 19871 . Our proof methods use however only the standard 
2-valued logic. The employed 2-valued characterization of Kunen semantics may be 
of separate interest. 

The proof method for definite program correctness IjClark 19791 |Hogger 1981| 
IDeran sart 1993) is simple and straightforward. It is declarative: it abstracts from 
any operational semantics. It should be well known. However its usefulness is often 
not appreciated. Instead a more complicated approach using operational semantics 
was proposed by some authors l|Bossi and Cocco 1989l|Apt 1997||Pedreschi and Ruggieri 1999| ). 
That approach takes into account the form of atoms selected under LD-resolution. 
We show that, as far as declarative properties of programs are concerned, the oper- 
ational approach is not stronger than the declarative one. The last of these papers 
also deals with normal programs. In this case we show that the operational ap- 
proach is strictly weaker than that presented here, when declarative properties are 
of interest. 

The following observation is important for our approach: it should be possible 
to use approximate specifications, and one should not require that the same spec- 
ification is used for both correctness and completeness. This is natural, as there 
usually are answers which are neither considered erroneous nor required to be com- 
puted. Using the same specification for both purposes requires making decisions 
like "should append([], 7, 7) be correct?"; this brings substantial and unnecessary 
complications. So there is some 3-valued flavour even in logic programming without 
negation. Notice that if a program is both correct and complete with respect to a 
specification then the specification cannot be approximate. Approximate specifica- 
tions are useful not only in the context of proving correctness and completeness. 
We show how a (non-unique) approximate specification can replace the unique in- 
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terpretation in the method of ( |Apt and Pedreschi 1993| ) for proving termination of 
normal programs. 

The paper consists of two main chapters: Section |3| is devoted to definite pro- 
grams, Section ^ to normal programs. In each case we first discuss proving cor- 
rectness, then proving completeness. We also discuss completeness of the presented 
proof methods and compare them with the operational approach. Section IPI on 
proving correctness of normal programs also presents a generalization of the method 
for proving termination by Apt and Pedreschi (19931. The paper is concluded by a 
section on related work. A preliminary and abridged version of this paper appeared 
as l|Drabent and Milkowska 200i|) . 



2 Preliminaries 

For basic definitions we refer the reader to ( |Lloyd 19871 ) and to flApt 1997|lDoets 1 994). 
We consider the declarative semantics given by 3-valued logical consequences of 
program completion IjKunen 1987J) . This is a standard semantics for normal pro- 
grams with finite failure l|Doets 1994). It is a generalization of the classical seman- 
tics for definite programs (2- valued logical consequences of the program) . SLDNF- 
resolution is sound for this semantics and important completeness results exist. 

We are interested in declarative properties of programs, i.e. properties of pro- 
grams treated as sets of logic formulae. Speaking more formally, we consider prop- 
erties of program answers. We are not interested in distinguishing logically equiv- 
alent programs, for instance logically equivalent definite programs with different 
S-semantics l|Bossi et al. 1994(1 . like {p(X)<—, p(a)<— } and {ppf)<— }. 

By a computed (resp. correct) answer we mean an instance Q9 of a query Q, 
where 9 is a computed (correct) answer substitution for Q and the given program. 
(A query is a sequence of literals; it is a sequence of atoms when definite programs 
are concerned). Notice that, by soundness and completeness of SLD-resolution, the 
sets of computed and of correct answers for a given definite program are equal. (In 
particular, a correct answer Q9 for a query Q is a computed answer for a query Q9.) 
So in the case of definite programs we usually do not distinguish between these two 
kinds of answers; the term "answer" refers to both of them. Due to incompleteness 
of SLDNF-resolution, some correct answers for normal programs are not computed 
answers. So in the context of normal programs the term "answer" refers to correct 
answers. 

We assume an arbitrary fixed first order language C. Sometimes it is required 
that the set of function symbols of C is infinite; this will be stated explicitly. A 
preinterpretation for L is an algebra J and a mapping assigning an n-ary function 
of J to each n-ary (n > 0) function symbol of C. We will represent interpretations 
as sets ( |Lloyd 1987| p. 12), IjDoets 19941 p. 124): an interpretation (over J) is a set 
of constructs of the form p(e±, . . . , e„), where p is a predicate symbol and e±,...,e n 
are elements of the carrier \ J\ of J. Such a p(ei, . . . , e„) will be called a J'-atom. 
Obviously, if J is a Herbrand algebra then an interpretation is a set of ground 
atoms. The Herbrand base w.r.t. (with respect to) a given language C will be 
denoted by H, and the least Herbrand model of a definite program P by Mp. 
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We sometimes use a comma instead of A and assume that conjunction has a higher 
priority than disjunction, and disjunction higher than implication. For instance 
a, j3 V 7, 8 stands for (a A j3) V (7 A 8), and a V (3 — * 7 for (a V (3) — ► 7. In program 
examples we use some elements of the notation of Prolog (variable names begin 
with an upper case letter, lists are denoted using [, |,], etc). 



3 Reasoning about Definite Programs 

First we show a method of proving program correctness. In the next section we 
compare it with an approach related to operational semantics. Then we introduce 
a method of proving completeness. 

3. 1 Correctness of Definite Programs 

We begin with a brief discussion on specifications. As a standard example let us 
take the program APPEND: 

app( [],L,L) <- 

app( [H\K],L, [H\M] ) <- app( K, L, M ) 

We want to prove that it indeed appends lists. We need a precise statement (a 
specification) of this property. A slight complication is that the program does not 
actually define the relation of list concatenation, but its superset; the least Herbrand 
model contains atoms like app([], 1,1). This is a common phenomenon in logic 
programming, the least model contains "ill-typed" atoms which are irrelevant for 
the correctness of the program. 
So we want to prove that: 

for any answer app{k, I, to), if k and I are lists then m is a list and k * I = m. 

(By a list we mean a term [ti,...,t n ] (in Prolog notation), where n > and 
ti, . . . ,t n are possibly non-ground terms. Symbol * denotes the list concatenation.) 
This property could be equivalently expressed as 

spec |= app(k,l,m) (1) 

for any answer app(k,l,m), where spec is the Herbrand interpretation: 

spec = { app(k, I, to) S TC | if k and I are lists then to is a list and k * I = to } (2) 

Obviously, holds iff all the ground instances of app(k, Z, to) are in spec. 

Notice that we do not need to refer to the notion of a query in the specifica- 
tion. Assume that app(k,l,m) = app{k' ,V ,m')9 is a computed answer for a query 
app(k' ,1' ,to'). If k',l' are lists then obviously k,l are lists and implies that to 
is a list and k * I — to. 

Such specifications, referring to program answers, will be called declarative. A 
declarative specification can be an interpretation (possibly not a Herbrand one) or 
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a theory. 1 In this paper we will use specifications of the first kind, but we expect 
that our results also apply to specifications of the second kind. 

Definition 3.1 

A definite program is correct w.r.t. a declarative specification spec iff spec \= Q 
for any answer Q of the program. 

Notice that a program P is correct w.r.t. a Herbrand interpretation spec iff its least 
Herbrand model Mp is a subset of spec (as for such interpretations spec |= Q means 
that all the ground instances of the atoms in Q are in spec). 

To prove correctness (of a logic program w.r.t. a declarative specification) we 
use an obvious approach, discussed among others by Clark (1979), Hogger (1981 
p. 378-9) and Deransart Q1993I Section 3). 2 We will call it the natural proof method. 
It consists of showing that spec \= C for each clause C of the considered program. 
The soundness of the natural method follows from the following simple property. 

Proposition 3.2 {Correctness, definite programs) 

Let P be a program and spec be an interpretation. If 

spec \= P 

then P is correct w.r.t. specification spec. 
Proof 

By soundness of SLD-resolution, P \= Q for any answer Q. Now spec \= P and 
P \= Q imply spec \= Q. (This also holds for spec being a theory.) □ 

The method is also complete (Deransa rt 1993|l in the following sense. If a pro- 
gram P is correct w.r.t. a declarative specification spec then there exists a stronger 
specification spec' C spec such that spec' |= P, and thus the method is applicable 
to spec' . (To prove this property, take as spec' the least model of P over the given 
preinterpretation.) 

Example 3.3 

The proof of correctness of APPEND w.r.t. specification (J2J is rather simple. We 
present here its less trivial part with details. Consider the second clause. To show 
that 

spec \= app([H\K],L, [H\M]) <- app(K, L, M) 
take ground terms h,k,l,m (and valuation {H/h,K/k,L/l,M/m}) such that 
spec |= app(k,l,m), in other words app{k,l 1 m) £ spec. We have to show that 
spec |= af>p([7i|fc], I, [h\m]). Assume that [h\k] and I are lists, hence k is a list. 
Then m is a list and k * I = m, as spec \= app(k,l,m). Thus [h\m] is a list and 
[h\k] * I = [h\m], hence app([h\k],l, [h\m]) £ spec. This concludes the proof. 

1 A specification corresponding to our example specification spec may consist of an axiom 
app(k,l,m) <-> (list(k) , list(l) — > list(m) , k*l=m) together with axioms describing predicates 
=, list and function *, and an induction schema for lists. 

2 where it is called "inductive proof method" . 
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Example 3.4 

The specification of APPEND considered above does not describe the usage of 
APPEND to split a list or to subtract lists. Also the requirement on k is unnecessary. 
This is because our intention was to follow a corresponding example of ( |Apt 1 997). 
A full specification of APPEND may be 



spec APPEND 



app{k, I, m) G Ti 



if I or m is a list then 

k, I, m are lists and k * I = m 



It is easy to check, in a way described above, that spec APPEND |= APPEND. Thus 
by Proposition 13. 21 program APPEND is correct w.r.t. spec APPEND . 

The program in the next example uses accumulators. Alternatively it can be seen 
as employing difference lists. Let us define that a difference list representing a list 
[ti, . . . , t n ] is any pair ([ti, . . . ,t n \t], t) of terms, where t is an arbitrary term. 

Example 3.5 

Consider the standard REVERSE program: 



reverse (A , Y) «— 
rev([],X,X)<- 
rev([H\L],X, Y) 



rev(X, Y,[}) 

^ rev(L,X, [H\Y] 



The declarative reading of the program is simple: the first argument of rev is a list, 
its reverse is represented as a difference list of the second and the third argument. 
This can be expressed by a formal specification 

spec R = {reverse{[t 1 ,...,t n ],[t n ,...,tx))\n>Q,t\,...,t n eT} 
U {rev([ti, . . .,t n ), [t n , . . . ,h\t],t) \ n > 0, ti, . . . , t n , t € T} 

where T is the set of ground terms. 

To prove that the program is correct w.r.t. this specification it is sufficient to show 
specR \= REVERSE. The nontrivial part of the proof is to show that the last clause 
is true in the interpretation specu- Take ground terms l,x,h,y, such that specn_ \= 
rev(l,x,[h\y]). So there exist n > 0, ti, . . . ,t n ,t such that I = \pi, . . . ,t n ], x = 
[t n , . . . ,h\t], t = [h\y]. Then rev([h\l],x,y) is rev([h,ti, . . . ,t n ], [t n , . . . h\y], y), 
thus specR |= rev([h\l], x, y). 

A quite common opinion is that "ill-typed" logical consequences of programs (like 
app([], 1, 1) for program APPEND) lead to difficulties in reasoning about program 
correctness (cf. eg. ; Apt 1995||Apt 1997|INaish 1992|l ). Similarly, programs dealing 
with accumulators or difference lists are sometimes considered difficult to reason 
about (cf. eg. ( |Apt 1995| |) . The natural method deals with such programs without 
any special burden, as the examples above show. 

Notice that the natural method refers only to the declarative semantics of pro- 
grams. A specification is an interpretation (alternatively a theory). Correctness is 
expressed as truth (of the program's answers) in the interpretation. Program clauses 
are treated as logic formulae, their truth in the interpretation is to be shown. We 
abstract from any operational semantics, in particular from the form of queries 
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appearing during computation. The reasoning is obviously independent from the 
selection rule. Still we can use declarative specifications to reason about queries and 
corresponding answers, using the fact that an answer is an instance of the query. 

3.2 Call-Success Specifications and the Operational Approach 

In this section we present an operational approach to program correctness and 
prove that it is not stronger than the natural method of Proposition 13. 21 fas far as 
properties of program answers are concerned). We also argue that from a practical 
point of view the natural method is advantageous. 

Some authors HBossi and Cocco 1989| . ( |Apt 19971 Chapter 8), ( |Pedreschi and Ruggieri 1999| ) 3 
propose another approach to proving correctness. The approach explicitly deals with 
the form of queries. It uses specifications consisting of two parts. The precondition 
specifies atomic queries and the postcondition their success instances. We will call 
such specifications call-success specifications. Formally, pre- and postconditions 
are sets of atoms, closed under substitutions. 

The proof method used in this approach was proposed by iBossi and Cocco 1 989) 
and is an instance of the method of | |Drabent and M aluszyhski 198SJ. 4 We will call 
it the operational proof method. It is based on the following verification condition: 

Let {pre, post) be a call-success specification, with the precondition pre and the 
postcondition post. For each clause C of the program it should be shown that for 
each (possibly non-ground) instance H *— B\, . . . , B n (n > 0) of C 

if H £ pre, B±, . . . , £ post then B^+i £ pre (for k — 0, . . . , n—l), 
if H € pre, B± , . . . , B n £ post then H £ post. 

Additionally, there is a condition on initial queries. One requires that for any in- 
stance B\, ... , B n (n > 0) of such query, if B\, . . . ,Bk £ post then B^+i £ pre (for 
fc = 0, ...,n-l).In JXpTT997l ) a program (a query) with a call-success specification 
is called well-asserted if it satisfies the respective condition above. 

The intuition behind condition @ is related to operational semantics - to proce- 
dure calls and successes under LD-resolution (SLD-resolution with the Prolog selec- 
tion rule). Indeed, © implies a stronger, non-declarative notion of correctness. We 
will say that a program is correct w.r.t. a call-success specification (pre, post) if 
every procedure call in an LD-derivation is in pre and every procedure success is in 
post, provided the initial query satisfies the condition above. By a procedure call we 
mean the atom selected in a goal, and by a procedure success a computed instance 
of a procedure call. If P satisfies the verification condition © then P is correct 
w.r.t. the call-success specification (see ( |Apt 199 7| and the references therein). 

Notice that correctness w.r.t. a call-success specification is not a declarative prop- 
erty. It considers not only computed answers, but whole computations (LD-trees). 
Thus this kind of correctness depends on the selection rule used. This is why we 
call the method operational. 



3 Whenever these approaches differ, we follow that of jApt 1997> . 

4 The latter approach does not require specifications to be closed under substitutions. 
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Example 3.6 

Consider the APPEND program. We refer here to its treatment in ( |Apt 1997| 
p. 214). The precondition and postcondition are, respectively, 

pre — { app(k, I, m) \ k and I are lists }, 

post = { app(k, I, m) \ k,l,m are lists and k * I = m }. 

(Here k, I, m are terms, possibly non-ground.) The details of the proof can be found 
in ( |Apt 1997| ). 

Now we formally compare both proof methods. We are going to prove that, as far 
as declarative properties are of interest, both methods are equivalent. Remember 
that we refer to two notions of program correctness: w.r.t. declarative specifications 
(of the natural method) and w.r.t. call-success specifications (of the operational 
method) . 

We first prove that the operational method is stronger than the natural one. We 
show that correctness w.r.t. a declarative specification can be expressed by means 
of correctness w.r.t. a call-success specification, and that whatever can be proven by 
the natural method, can be proven by the operational method. Roughly speaking, 
the natural method is the operational one with the preconditions abandoned. 

Proposition 3. 7 

Let P be a program, and let an interpretation spec be a declarative specification. 
Consider a call-success specification (pre T ,post(spec)), where pre T is the set of all 
atoms and post (spec) = {A \ spec |= ^4}. 

Then P is correct w.r.t. spec iff P is correct w.r.t. (pre T ,post(spec)) . Moreover, P 
and spec satisfy the verification condition of the natural method ( Proposition \?> . 2|) 
iff P and (pre 1 , post (spec)) satisfy the verification condition J3J of the operational 
method. 

Proof 

The first equivalence is obvious. 

Consider the call-success specification (pre T ,post(spec)). Notice that the condi- 
tion on initial queries is trivially satisfied by any query. All the implications of 
© except the last one are trivially satisfied. The last implication of holds 
for each instance of a clause C iff spec \= C . (For the non-obvious "if" case no- 
tice that Si, ... , B n G post(spec) means spec \= Bi for i = 1, . . . , n; hence from 
spec \= H <— . . . , B n we obtain spec |= H .) □ 

It remains to show that the operational method is not stronger than the natu- 
ral one, as far as the declarative properties are concerned. Consider a call-success 
specification (pre, post). A corresponding declarative specification could be seen, 
speaking informally, as implication pre — > post. The following definition formalizes 
this idea. 

Definition 3.8 
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Let pre and post be sets of atoms closed under substitution. The declarative spec- 
ification corresponding to the call-success specification (pre, post) is the Herbrand 
interpretation 

pre—*post := {AeTi\iiAe pre then A G post }. 

In other words, pre^post = (TC\ pre) U(7in post). If P is correct w.r.t. pre-^post 
and Ad is an answer to a query A G pre then ^46* £ post. As an example take the call- 
success specification of APPEND from Example 13. 61 The corresponding declarative 
specification is the specification of APPEND from the previous section. 

The following proposition compares the corresponding declarative and call-success 
specifications. (Similar property is mentioned without proof in l|de Boer et al. 19971 
|Pedreschi and Ruggieri 1999| ).) The next proposition (see also l|Courcelle and Deransart~ 988)) 
compares both proof methods. 

Proposition 3.9 

If a program P is correct w.r.t. a call-success specification {pre, post) then P is 
correct w.r.t. the declarative specification pre-^post. 

Proof 

Assume that a program P is correct w.r.t. (pre, post). As pre-^post is a Herbrand 
interpretation, it is sufficient to show that Mp C pre^post (cf. the comment fol- 
lowing Definition 13. 1(1 . Consider an A 6 Mp. So query A succeeds. If A G pre then 
A G post. Thus A G pre— > post. □ 

Now we show that if it can be proved by the operational method that a program 
P is correct w.r.t. (pre, post) then it can be proved by the natural method that P 
is correct w.r.t. pre—>post. 

Proposition 3.10 

If P and (pre, post) satisfy the verification condition J3J of the operational method 
then pre^post \= P. 

Proof 

pre^post |= P means that for any ground instance H <— B\, . . . , B n of a clause of 
P, if Bi, ... , B n G pre^post then H G pre-^post. Consider such an instance and 
assume that B\, . . . , B n G pre—*post. If H g" pre then H G pre ^> post. Otherwise, 
for H G pre we obtain from © by simple induction that Bi G pre and Bi G posi, 
for i = 1, . . . , n. Hence H G post, by thus -ff G pre^post. □ 

The converse of the two propositions does not hold: 

Example 3.11 

For a simple counterexample consider P and (pre, post) satisfying the verification 
condition ©, and reorder the atoms in the clause bodies. The obtained program 
Pi may be incorrect w.r.t. (pre, post), but pre^post \= P±. 
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For a counterexample independent from the ordering of body atoms, consider the 
program P 2 : 

p(X,Y,Z)<-q(X, Z),q(Y,Z) 
?(X,X)<- 

Let S be a set of ground terms. Consider a declarative specification pre^post, 
where 

pre = {p(t u t 2 , ts) \heS or t 2 £ S} U {q{h,t 2 ) \ h E S}, 
post = {p(t u t 2 , t 3 ) | t 3 G S} U {g(ti, t 2 ) | t 2 6 5}. 

We have pre—>post \= P 2 , but P 2 is incorrect w.r.t. the operational specification 
(pre, post). The same holds for P 2 with the atoms in the clause body swapped. 

The last two propositions show that the natural method is stronger than the 
operational one (and hence equivalent to it), as far as declarative properties are 
concerned. In contrast to the operational method, the natural one is independent 
from the order of the body atoms in clauses. 

We proved that the two methods are formally equivalent. Now we argue that, 
from the practical point of view, switching from the operational method to the 
natural one does not bring any difficulties or complications. First, a declarative 
specification corresponding to a given call-success specification is obtained from the 
latter by a simple composition of three operations: removing non-ground atoms, set 
complementation and set union. Then, the proof of Proposition 13. 1CJ1 shows how to 
obtain a natural method proof out of an operational one. This is done by adding a 
few simple steps. (Notice that for the new proof we consider implications J3J only 
for ground instances of clauses) . 

The natural method requires proving one implication per program clause. In 
contrast, the operational method requires proving one implication for each atom 
occurring in the program or in the initial query. This is a price for obtaining more 
information: the property proved concerns not only program answers but also calls 
and successes under LD-derivations. However, when one is not interested in the 
latter, the natural method seems more convenient. 

There are many examples of using the operational method where the declarative 
one is sufficient (for instance cf . the papers mentioned above) . Apparently people are 
often confused by the fact that the least Herbrand model contains undesired, "ill- 
typed" atoms (cf. the opinions of ( |Apt 1995| )). They want a specification describing 
exactly the set of atoms of interest. For instance, such a set for APPEND is spec' = 
{ app(k, I, m) | k,l,m are lists and k * I = m }. A program is usually not correct 
w.r.t. such a declarative specification. It is often not recognized that the property 
of interest can be described by means of an approximate declarative specification, 
like those from the examples of Section mi 

There may be another reason for using specifications describing exactly the sets of 
answers of interest: such specifications can be employed in reasoning about program 
completeness. It is however not necessary to use the same specification for both 
correctness and completeness. As we argue in Section [3.31 it is quite convenient and 
natural to use separate specifications instead. 
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Notice the difference in the treatment of "ill- typed" atoms (like app([], 1, 1) for 
APPEND) by the two approaches. In the natural method we can include such atoms 
in a specification. For example, the declarative specification spec APPEND from 
Example 13.41 contains all ground atoms of the form app(k,l,m) where I and m are 
not lists. In the operational method the "ill- typed" atoms are usually excluded from 
postconditions. A precondition states explicitly how the program should be called 
to avoid "ill-typed" answers. The call-success specification of APPEND discussed 
above is a typical example. So the postcondition of a call-success specification is 
Mp n pre or its superset, while a declarative Herbrand specification is a superset 
of Mp (for instance Mp U (H \ pre)). 

The following example shows that such treatment of "ill-typed" atoms by the 
operational method is impossible in some cases. It also shows that sometimes a 
non-trivial precondition cannot be used and the operational method boils down 
to the natural one; what conceptually is a precondition has to be expressed by a 
postcondition. 

Example 3.12 

Let us consider a program TWO = TWO p U TWO,, where TWO p is 

p(X, Y) <- q(X, X2, XI, X3), q(Xl, X3, X2, Y) 

and p does not occur in TWO,. Assume that TWO, is correct w.r.t. declarative 
specification 

spec q = (pre\-^post z q ) n (pre,— >post q ), 

where 

pre q = { q(t, s, u, v) | list(t) } post q — { q(t, s, u, v) \ list(u) } 
P re q = { s j u ' v ) I list (8) } post q = { q(t, s, u, v) | listiv) } 

and list(t) stands for "i is a list", for a possibly non-ground term t. (Thus spec q 
states that if the i-th argument of q is a list then its argument i + 2 is a list too, 
for i = 1,2. Nothing more is known about TWO,. Notice that spec q includes all 
atoms with the predicate symbol distinct from q.) 

Program TWO is an abstraction of "two-pass" programs and of certain us- 
ages of difference lists. Some examples of such programs can be found e.g. in 
e and Maluszyhski 1997| ). Informally, its data flow can be described as follows. 
The value of XI produced by the first call of q is used by the second call. The value 
of X2 is produced by the latter and used by the former, which uses it to produce 
the value of X3. The value of A3 is used by the second call, which produces the 
value of Y. 

By means of the natural method it is easy to show that, in an answer p(t±,t2) 
of TWO, if ti is a list then <2 is a list too. In order to describe this, let us use 
declarative specification 

spec TWO = (pre p ^post p ) n spec q 

5 Generally: a specification may permit any answer A that is not an instance of any query for 
which the program is intended to be used. 
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where 

pre p = {p(t, s) | list(t) } post p — {p(t, s) \ list(s) }. 

TWO is correct w.r.t. spec TWO , as spec TWO (= TWO p 6 and TWO ? is correct w.r.t. 
spec TWO by our initial assumption. 7 

Correctness of TWO w.r.t. spec implies that if p is called with the first argument 
being a list and succeeds then the second argument is bound to a list. Now we 
discuss how this can be proved using the operational method. Let A r denote the 
set of all atoms with the predicate symbol r. 

To express this property one needs a call-success specification (pre, post) such 
that pre (~l A p — pre p and post (~1 A p = post p . Assume that the operational proof 
method is applicable to this specification, in other words that the verification con- 
ditions @ hold. Hence in any LD-derivation any procedure call is in pre and any 
procedure success is in post, provided the initial goal is in pre. 

As explained previously, a usual way of using the operational method is such 
that "ill-typed" atoms are excluded from the postcondition. This is impossible for 
program TWO, as in the computations (i.e. LD-derivations) started from a goal 
A G pre p , predicate q may succeed with its second and fourth arguments being not 
lists. 

Notice that the precondition pre has to permit any value of the second, third and 
fourth argument of q, as during the computation q is invoked with these arguments 
being variables. Formally, pre contains any atom of the form 9(^1,^2,^3,^4) where 
ti is a list. These atoms are in pre*, but (some of them) are not in pre 2 . Thus pre 2 
cannot be used as a precondition for q (more precisely, pre nA q cannot be pre 2 , or 
a subset of pre 2 q ). 

We could use pre q as a precondition for q (formally pre n A q could be pre q ) 
provided that q did not occur in any clause body of TWO g . Otherwise we have to 
use the trivial precondition for q (formally pre n A q — A q ), as nothing is known 
about the procedure calls in TWO,. 8 

Hence for the last implication of for TWO p to hold, the postcondition has to 
express that if the i-th argument of q is a list then its argument i + 2 is a list, for 

6 Here are the details of the proof. Take a ground instance H Bi , B2 of the clause of TWO p . 
Notice that: 

H £ pre p implies Bi £ pre„, B± £ post* implies B2 £ pre^, 

B\ £ posij implies B2 £ preL B2 £ postg implies H £ postp. 

B2 £ postq implies Bi £ pre^, 

Assume that spec TWO \= B\,B2. Thus we have, for i = 1, 2: 

Bi £ pre* implies Bi £post^, Bi £ pre^ implies Bi £ post*, 

Combining these implications together we obtain that H £ pre p implies H £ postp . This means 
that spec TWO |= H. 

7 To view this reasoning as application of Proposition 13.21 take a specification / = Mxwo U 
(pre p ^postp n {p(ti,t2) I ti,ta are ground terms}). / C spec TWO (as MtwO Q s P ec <j), an d 
/ (= TWO (as sp eCTWO f= TWO p ). 

8 Notice that the same holds if we swap the body atoms of TWO p . 
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i = 1,2. So the postcondition for q is the declarative specification spec q lifted to 
non-ground terms. Formally, spec D A q — (pre q Upost q ) D (pr e q Upost^). 

Conceptually, pre x q and pre^ are preconditions, as they are premises of implica- 
tions which have to be used in the proof. However, as shown above, pre^ (and pre J, 
for some programs TWO,) cannot be used in the precondition of the operational 
method. Instead they have to be employed in the postcondition. 

Notice that the first two implications of hold trivially, and that proving the last 
implication is basically a generalization of the declarative proof presented above. 9 

Thus the operational proof for TWO p is basically the same as the declarative 
method proof presented above. (Restriction of the former to ground clause instances 
gives the latter.) 

Propositions 13 .91 and 13 . lUl show that, for proving properties of program answers, 
we do not need preconditions. Declarative specifications and the natural method of 
Section l3~D are sufficient. The proof of Proposition l3~TUI shows how every operational 
method proof can be easily transformed into a natural method one, with introducing 
only minor changes. The converse does not hold; Examples 13.111 and 13.121 show that 
in some cases a natural method proof cannot be converted into an operational one 
with a non-trivial precondition. 

The operational method is a generalization of the natural one: roughly speaking 
any natural method proof can be seen as operational one, with a trivial precondition 
(Proposition 13 . 7|) . The operational method proves more, as it also deals with the 
form of procedure calls and successes in LD-resolution. However it is more compli- 
cated and, for declarative properties, it is not stronger than the natural one. In our 
opinion, when one is interested only in declarative properties, the natural method 
should be preferred to the operational one. 



3.3 Completeness of Definite Programs 

Let us begin from an observation that for a given program a specification for com- 
pleteness is in general different from that for correctness. For the purposes of cor- 
rectness we describe a superset of the set of answers of a program. For the purposes 



specification for completeness 



required 



incorrect 



specification for correctness 



One has to show that if H € pre p and Bi, B2 S (pre* Upost^) n (pre^ Upost^) then H S post p , 
for any instance H <— B± , B2 of the clause of TWOp . For ground instances this is equivalent to 
spec TWO |= TWOp . 



14 



Wlodzimierz Drabent and Miroslawa Milkowska 



of completeness we describe its subset, as a program satisfying a completeness re- 
quirement may compute something more than required. Often when a specification 
for correctness is of the form pre^post then a specification for completeness is post. 

For instance, it makes no sense to require that APPEND program were complete 
w.r.t. the specification spec from the beginning of Section ISTTI or specAPPEND from 
Example 13. 41 Such a program should compute "ill-typed" answers, like app(a, b, c). 
Our specification for completeness of APPEND is the Herbrand interpretation 

specCAppEND = {app(k, l,m) e H \ k,l,m are lists, k * I = m}. 

Notice that it properly expresses our intentions: APPEND should compute all the 
cases of list concatenation. The difference specAppEND \ spccCappend contains only 
"ill-typed" atoms, with the first or second argument not being a list. We are not 
interested whether they are answers of APPEND. 

As previously, we consider specifications which are (possibly non-Herbrand) inter- 
pretations. Additionally we require that a specification is over a preinterpretation 
J in which equality satisfies the Clark equality theory CET. 10 (Alternatively, we 
may consider specifications which are theories containing CET.) 

Definition 3.13 

A definite program P is complete for a query Q w.r.t. a specification specC if 
specC \= Q9 implies that Q6 is an answer for P, for any instance Q9 of Q. 
P is complete w.r.t. specC if it is complete for any query w.r.t. specC. 

Remember that QO is an answer for P iff P \= Q8; this implies that Q8 is an 
instance of some computed answer for Q. 

Below we refer to theory ONLY-IF(P) UDoets 19941 p. 135) that is usually used 
while defining the Clark completion of a program P. Informally, ONLY-IF(P) is 
P with implications reversed. For each predicate symbol p, if the clauses of P 
beginning with p are p(ti)<— B\, . . . ,p(tk)<— -Bfc then ONLY-IF(P) contains 

k 

P{%) -* V ^ = A 

i=l 

where x are distinct new variables and the quantification is over the variables oc- 
curring in the clauses. For k = the implication is equivalent to -<p(x). In our 
example, ONLY-IF(APPEND) is (equivalent to) 

app(x, y, z) — > x = [], y = z V 3 h, k, m [x = [h\k], z = [h\m], app(k, y, m)). 

We also need a specification for equality: 

spec = = { =(t, t)\te\J\} 

where is the carrier of the considered preinterpretation J . So in the case of 
Herbrand specifications we have spec = — {—(t, t) | t is a ground term}. 

10 As an example what happens if this requirement is not satisfied consider J in which constants 
a, b are given the same value. Take an interpretation spec over J such that spec |= p(a). Then 
a program P = {p(a)<— } is not complete w.r.t. spec, as spec \= p(b) but p(b) is not an answer 
of P. 
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The following can be used to prove completeness of a program. 
Proposition 3.14 (Completeness, definite programs) 

Let P be a definite program and Q a query. Assume that the set of function symbols 
of the underlying language is infinite. If 

(i) specC U spec = \= ONLY-IF(P) and 

(ii) P terminates for Q, i.e. there exists a finite SLD-trcc for P and Q 

then P is complete for Q w.r.t. specC. 

If P is complete w.r.t. specC for each ground instance of each atom from a query 
Q then P is complete for Q w.r.t. specC. 

Notice that no particular selection rule is required in (ii). For Herbrand specifi- 
cations, condition (i) means that for each A 6 specC there exists a ground instance 
A <— Bi, . . . , B n of a clause of P such that P>i, . . . , B n G specC. 

Proof 

The first part of the proposition follows from a more general Theorem l4.21l (Take 
spec = (T,specC), where T is the set of all iJ-atoms over the considered prein- 
terpretation. By Theorem 14. 61 P seen as normal program is correct w.r.t. spec and 
thus Theorem 14 . 2 1 1 can be applied.) 

For the second part, let Q — A\,... ,A n and P be complete w.r.t. specC for 
each ground instance of each Aj. Now specC |= Qd implies specC \= Aider and 
then P \= Aider, for each ground instance Aider of Aid, i — l,...,n. This implies 
P |= Aid. The latter follows from the fact that if P \= Aa for each ground instance 
Act of an atom A then P \= A (see e.g. Theorem 3.3 of ( |Apt et al. 1996| ), the proof 
there requires infinite set of constants, but can be easily modified for infinite set of 
function symbols). We obtained P \= Aid for i = 1, . . . , n, this means P \= Qd. □ 

Example 3.15 

Consider program APPEND and the specification specCAPPEND given above. It is 
easy to show that spccCappend U spec = |= ONLY-IF(APPEND). One can show, 
using any standard method, that APPEND terminates for any ground atomic query. 
Thus APPEND is complete for any ground atomic query and then, by the second 
part of the proposition, complete. 

Consider a query Q = app(X, Y, m) , where X, Y are variables and m a possibly 
non-ground list. For any lists k,l such that k * I = m we have spccCappend H 
app(k, I, m). By completeness of APPEND, P |= app(k, I, m). So by completeness 
of SLD-resolution, app(k,l,m) (or a more general atom) is a computed answer 
for Q. Summarizing, Q produces all the required divisions of m into two lists. 

In our opinion, Proposition 13.141 is a formalization of a rather natural way of 
informal reasoning about completeness, which consists of checking that any tuple 
of argument values to be defined by the predicate is "covered" by some of its clauses. 

The proposition without condition (ii) does not hold. Program { app(X, Y, Z) <— 
app(X, Y, Z) } is a counterexample. Also the requirement on function symbols can- 
not be removed. For a counterexample take P = {p(a)-«— , p(b)<— }, Q — p(X), 
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a Herbrand universe {a, b} and a Herbrand interpretation specC = {p(a),p(b)}. 
Then specC \= Q and P is not complete for Q. However (i) and (ii) hold. 

The method proposed here proves program completeness for queries that termi- 
nate. This should not be seen as a disadvantage, since in most cases termination of 
a program has to be established anyway. Deransart and Maluszyhski (| 19931 Section 
6.2.2, Theorem 6.1) provide a similar sufficient condition for completeness, which 
does not refer to termination. Instead of (ii) it employs some other property, which 
involves norms on atoms. Checking that property is similar to proving termination. 
So whenever termination has to be shown anyway, our approach is simpler. 

Notice that Proposition 13. 14| is also applicable when termination is not proven. 
Condition (i) alone implies that if we obtain a terminating execution for a partic- 
ular query Q then all the answers for Q required by the specification have been 
computed. 

There is certain limitation in using interpretations as specifications for complete- 
ness. One cannot express properties like "for any lists fc, I there exists some m such 
that P |= app(k, I, m)." (The same limitation applies to call-success specifications of 
the operational approach from the previous section.) Such properties can however 
be expressed by specifications which are theories. 

The proof method of Proposition 13.141 is not complete, in contrast to that of 
| |Deransart and Ma luszyhski 1993| ). For a counterexample, consider a program P 
containing a clause p(x) *— p(x). P is complete (for query p(x)) w.r.t. specification 
Mp, but condition (ii) does not hold. 

The method is however complete for arbitrary program P and any query Q for 
which P terminates (or any query A\ , . . . , A n such that P terminates for any ground 
instance of Ai, for i = 1, . . . , n). To prove this fact, assume that P is complete w.r.t. 
a specification specC. Then there exists a weaker specification specC 3 specC such 
that P is complete w.r.t. specC and (i) holds for spe.cC. One may take as specC 
the least model of P over the given preinterpretation. Thus Proposition ^. 141 makes 
it possible to show that, for any query as above, P is complete w.r.t. specC , and 
thus specC. 



4 Reasoning about normal programs 

We first discuss specifications for normal programs and present a 2-valued charac- 
terization of the 3-valued completion semantics. Then we introduce a method for 
proving correctness (Section 14.3(1 and a method for proving completeness of pro- 
grams ( Section |4.4|1 . Each presentation includes an example, discussion of complete- 
ness of the method and comparison with an operational approach. In the section 
on correctness we also show how the presented approach can be used to generalize 
a well-known method for proving termination. We conclude with a bigger example 
(Section 

In this chapter, unless stated otherwise, the considered programs (queries) are 
normal programs (queries). We are interested in the completion semantics (log- 
ical consequences of program completion in 3-valued logic IjKunen 1987J1 V This 
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semantics corresponds to an operational notion of finite failure. So we usually skip 
"finitely" in phrases like "finitely fails" . 

4-1 Specifications for normal programs 

In order to introduce specifications for normal programs let us first consider definite 
programs with queries which may contain negative literals. Assume that we have 
a definite program P complete w.r.t. a Herbrand specification specC and correct 
w.r.t. a specS (C as completeness, S as soundness). If an atomic query A fails 
then specC \= ->A. So for P and atomic queries, negation as finite failure is correct 
w.r.t. the specification for completeness. Now consider a query Q = p(t),^q(u). 
If it succeeds with an answer Q6 then speci \— Q9 for an interpretation speci 
that interprets p as specS and q as specC. If Q fails then spec 2 f= ->Q for an 
interpretation speci that interprets p as specC and q as specS. In order to deal 
with this phenomenon, we will use the following renamings of predicate symbols. 

Definition 4-1 

Let £ be a first order language. Let Q be a formula or a set of formulae (e.g. a 
query or a program) of C. Let us extend C by adding, for any predicate symbol p, 
a new predicate symbol p' . 

Q! is Q with p replaced by p' in every negative literal of Q (for any predicate 
symbol p, except for =). Similarly, Q" is Q with p replaced by p' in every positive 
literal. 

If I is an interpretation for C then I' is the interpretation obtained from I by 
replacing each predicate symbol p by p' . 

For normal programs, a specification for correctness should describe two (possibly 
overlapping) sets of ground atoms — those allowed to succeed and those allowed to 
fail. Similarly, a specification for completeness should describe two (disjoint) sets, 
of the ground atoms required to fail and of those required to succeed. It is natural 
to allow to succeed any atom not required to fail, and allow to fail any atom not 
required to succeed. Hence the two sets needed to specify correctness can be the 
complements of the two sets used to specify completeness. 

Definition 4-2 

A specification for a normal program is a pair (specS ', specC), where specC and 
specS are interpretations over the same preinterpretation J , in which the equality 
satisfies the Clark equality theory CET. 

A specification (specS, specC) is called proper if specC C specS. 

Formal definitions of correctness and completeness are given in the respective 
sections below. For an informal explanation, assume that a program P is correct 
w.r.t. a proper Herbrand specification spec = (specS , specC) . Then, if a ground 
atomic query A succeeds then A e specS, if it fails then A £ specC. If P is 
complete w.r.t. spec then any A £ specC succeeds and any A g' specS fails. Thus 
atomic queries from specS — specC are allowed to succeed or to fail, but nothing is 
required about these queries. 
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One can consider correctness w.r.t. a specification that is not proper (atomic 
queries from specC — specS are neither allowed to succeed nor to fail). On the other 
hand a program cannot be complete w.r.t. a non-proper Herbrand specification. 
This would require that some atoms both succeed and fail. 

Sometimes it may be helpful to view our specifications as interpretations in the 4- 
valued logic of Belnap. The logical values in this logic are the subsets of {true, false}. 
By removing the value {true, false} we obtain the logical values of the 3-valued 
logic that is usually used when dealing with semantics of logic programs. For a 
4-valued interpretation / and a formula F, I ^4 F means that the logical value 
of F in / contains true. For more details see ( |Fitting 1991| ) or IjStark 1996|l . A 
specification spec — (specS , specC) can be seen as a pair 1 | (spec), Iq (spec) of 4- 
valued interpretations. The first interpretation corresponds to viewing spec as a 
specification for correctness, the other — for completeness. 

Definition 4-3 

Let spec = (specS, specC) be a specification over a preinterpretation J . 

Ig(spec) is the 4-valued interpretation over J such that for any ^7-atom A the 
logical value of A contains true iff A £ specS, and it contains false iff A ^ specC. 

1q (spec) is the 4-valued interpretation over J such that for any j7-atom A the 
logical value of A contains true iff A G specC , and it contains false iff A ^ specS. 

We will avoid 4-valued interpretations by employing the predicate renaming of 
Definition 14.11 



4-2 Characterization of 3-valued completion semantics 

In this section we introduce a characterization of the 3-valued completion semantics 
of normal programs. The characterization uses the standard 2-valued logic. It em- 
ploys renaming of predicate symbols. There exist other 2-valued characterizations 
of the completion semantics, based on predicate renaming. The approach of Man- 
carella et al. flMQf (see also references therein) is applicable to a restricted class of 
programs and deals with different semantics, which employs a domain closure axiom 
(thus the underlying language has a finite set of function symbols) . Our characteri- 
zation combines the ideas of those of IjStark 1996)1 and ( Drabent and Martelli 199ll 



Lemma 4-4 (Characterization of completion semantics) 
Let P be a program and Q a query. 

comp(P) \= 3 Q iff P' U ONLY-IF(P") U CET \= Q', 
comp(P) \= 3 -<3 iff P' U ONLY-IF(P") U CET \= -.Q". 

Proof 

We use a result of Stark (|199fi|l who introduced a notion of partial completion 
of a logic program and showed that 3-valued consequences of the completion of a 
normal program are classical consequences of the partial completion of the program 
(modulo a simple syntactic transformations described below). 
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The main observation is that Stark's partial completion pcomp(P) of a program 
P and P' U ONLY-IF(P") U CET are just syntactical transformations of each other. 

Let C be the underlying first-order language. The language C used by Stark is 
obtained from C by adding for every predicate symbol p a new symbol p with the 
same arity. 

Let us transform P' , ONLY-IP(P"), Q' and ->Q" as follows: 

- replace in ONLY-IF(P") each implication of the form a — > (3 by — 1/3 — > -ia, 

- transform each formula containing negation to an equivalent form in which 
negation occurs only in negated literals, 

- substitute each occurrence of a negated literal of the form ~<p'(t) by atom 
p(t) (notice that every negated literal will be of that form and the obtained formulae 
do not contain primed predicate symbols). 

Let us denote the translation of F by F (where F is P', ONLY-IF(P"), Q' or 
->Q"). Now the partial completion pcomp(P) of a program P is FuONLY-IF(P")U 
CET. 

From Theorems 3.2 and 3.4 in (IStark 1996|) it follows that: 

eomp(P) \=3 Q iff pcomp(P) (= Q' 
comp(P) |= 3 -iQ iff pcomp(P) (= -iQ" 

Let F be Q' (resp. -.Q"). pcomp(P) \= F is equivalent to P' U ONLY-IF(P") U 
C*FP |= P. □ 

4-3 Correctness of normal programs 

We now introduce our method for proving program correctness. The presentation is 
followed by an example proof. Section [4.3.31 discusses completeness of the method 
and the next section compares the method with some other approaches. Section 
14.3.51 shows how correctness w.r.t. approximate specifications can be employed in 
generalizing a known method of proving program termination. The reader may wish 
to skip Sections 14. 3. 31 - 14.3.51 in the first reading. 

4-. 3.1 Proof method 

Definition 4-5 

We say that a program P is correct with respect to a specification spec = 
(specS, specC) if for any query Q 

(i) if comp(P) |=3 Q then specS U specC \= Q' 

(ii) if comp(P) (=3 —>Q then specS U specC |= —>Q" 

The reader may compare this definition with the informal discussion of Section 
14.11 related to Definition 14. 21 11 In particular, if P is correct with respect to spec = 
(specS, specC), then from the soundness of SLDNF-resolution it follows that every 

11 Notice that specS U specC' \= Q' is equivalent to I^(spec) \=i Q, and specS U specC' (= ~^Q" 
is equivalent to Ig(spec) [=4 —iQ. 
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computed answer Q (of SLDNF-resolution) satisfies specS U specC \= Q' . It means 
that for each positive literal A in Q, specS \= A, and for each negative literal ->A in 
Q, specC \= ->A. For P and spec as above, if a query Q fails then specS U specC \= 
-iQ" (by soundness of negation as failure). In the case of queries consisting of one 
literal A (resp. ->A) it means that specC \= ->A (resp. specS \= A). 

The same holds for any operational semantics, which is sound w.r.t. 3-valued 
completion semantics. This includes constructive negation (cf. IjDrabent 1995|) and 
the references therein) and extensions of SLDNF-resolution allowing selecting a 
non-ground negative literal ->A if A fails or succeeds without binding its variables 
( ILloyd 1987| Etark 19961). 

The proposed proof method is given by the following theorem. (spec = is defined 
in Section EP1 ) 

Theorem 4-6 (Correctness, normal programs) 

Let P be a program and spec = (specS, specC) a specification, such that 

(a) specS U specC \= P' 

(b) specS U specC U spec = \= ONLY-IF(P") 

then 

P is correct w.r.t. spec. 

Proof 

From (a), (b) and spec = \= GET we obtain specS U specC U spec = (= P' U 
ONLY-IF(P")UCPT. Assume that comp(P) ^3 Q (respectively comp(P) ^ 3 -.Q). 
By Lemma IP1 specS U specC \= Q' (resp. specS U specC \= ->Q"). □ 

4-3.2 Example correctness proof 

We illustrate our correctness proof method by applying it to a program (from 
(Stark 1996)) defining the subset relation. We present a detailed proof. 

Example 4.1 

Let P be the following program: 

subset^L, M) <— ->notsubset(L, M) 

notsubset(L, M) <— member(X, L), ->member(X , M) 

member(X, [X\L]) <- 

member(X 1 \Y\L\) <— member(X, L) 

Consider Herbrand specification spec = (specS, specC), where 

specS = sS m U sSVi U s5 s , specC = sC m U sC„ U sC s 



sS m = {member(x,l) \ I is a list — > a; G Z} 

sC m = {member(x, I) \ I is a list A x G /} 

s5 n = {notsubset(l, m) \ I and to are lists — > / ^ m } 

sC n = {notsubset(l, m) | I and to are lists A I % to} 

sS* s = {subset(l, m) | Z and to are lists — ► Z C to} 

sC s = {subsetQ, m) | Z and to are lists A I C to} 
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(/Cm means that all elements of I are elements of m.) 

We would like to prove that our program is correct with respect to the above 
specification spec. We show that conditions (a) and (b) of Theorem 14.61 are sat- 
isfied. This implies that whenever subset(l,m) is a computed answer of P then 
sS s (= subset(l,m), and thus if l,m are lists then I C to. Also, whenever a query 
subset(l,m) fails then sC' s \= ^subset(l,m). Hence I or m is not a list or I % m. 

Let spSC — specS U specC . In order to prove condition (a) one has to show, for 
each clause C of P, that spSC |= C. In order to prove condition (b) one has to show 
that each implication of ONLY-IF(P") is true in the interpretation spSC U spec = . 

Let us first consider the second clause of program P. For condition (a) we have 
to prove that: 

spSC |= notsubset(L, M) <— member -(X, L) A ->member'(X, M). 

Let I, m, x be any elements of the universe such that spSC \= member(x, I) A 
-^member' (x, m). That means that member(x, I) G sS m and member(x, m) £ sC m . 
We would like to prove that not subset (I, m) G sS n . So assume that I and m are lists. 
From member(x 1 1) G sS m we obtain that igl, and from member(x, m) $ sC m — 
x ^ m. Hence I % m. 

For condition (b) and predicate notsubset we have to show that 

spSC \= notsubset' (L, M) — > 3X (member (X , L) A -^member -(X , M)) 

Let Z, m be any elements of the universe such that spSC \= notsubset' (I, m). So 
I and m are lists and I $Z m. So there exists an element, say a, such that a G I 
and a to. Thus member(a,l) G sC m and member(a,m) £ sS m . Hence spSC \= 
member' (a, I) A ^member(a, to), so the implication above is true in spSC. 

Let C denote the first clause of P. Notice that subset(L, M) *-* ^notsubset(L, M) 
is true both in sS s UsC n and in sC s U sS n . After replacing notsubset by notsubset' ', 
this implies s5 s U sC^ |= C , and hence (a) for the first clause. After replacing 
subset by subset', this implies sS n U sC^ |= subset' (L,M) — > -^notsubset(L, M), 
hence (b) for predicate subset. 

The proof for predicate member boils down to a proof of a definite program (a 
proof of correctness and part (i) of completeness proof, cf. Proposition 13 . 1 4fl . □ 

4-3.3 On completeness of the proof method 
To discuss completeness of the proof method we need an ordering on specifications. 
Definition 4-8 

Let sp = {spS, spC), spec = (specS, specC) be specifications (over the same prein- 
terpretation J). We say that sp is stronger than spec (written sp < spec) if 
spS C specS and specC C spC. 

The set of atoms allowed to succeed (fail) by the stronger specification is a subset 
of the set of atoms allowed to succeed (fail) by the weaker one. The set of atoms 
required to succeed (fail) by the stronger specification is a superset of the analogical 
set for the weaker one. 
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Notice that this definition corresponds to an intuitive notion of a stronger spec- 
ification. Let speci ^ spec2, then for any program P, if P is correct w.r.t. speci 
then it is correct w.r.t. spec2- 

The ordering < on specifications corresponds to the information content order- 
ing <fc (Fitti ng~1991| ) on 4- valued specifications for correctness (cf. the last para- 
graphs of Section l4~T]) : speci ^ spec 2 iff Ig(speci) <k Ig(spec2). It also holds that 
speci ^ spec2 iff Ic(spec 2 ) <k Ic( s P ec i)- 

We say that a proof method is complete for P if the following condition holds: 
if P is correct w.r.t. a specification spec then there exists a specification stronger 
than spec which satisfies the conditions of the proof method. 

As the following examples show, the proof method for program correctness (The- 
orem is n °t complete. 

Example 4.9 

Let P be the following program: 

P(f( x )) ^Pi x ) 
q^p(x) 

Consider a non-proper Herbrand specification spec — (0, {q}), which says that no 
atom is allowed to succeed and all atoms except q are allowed to fail. Notice that 
Ig(spec) — u and $p f oj is not the <fc-least fixpoint, where $p is the 4- valued 
immediate consequence operator of P ( |Fitting 1991[ > . Program P is correct w.r.t. 
this specification. Unfortunately neither spec nor any specification stronger than 
spec satisfies conditions (a) and (b) of Theorem 14.61 ffor justification see below). 
Thus the proof method cannot be applied. 

On the other hand program P is correct w.r.t. a proper specification (0, 0), corre- 
sponding to the least fixpoint of the operator $ p , and this specification does satisfy 
conditions (a) and (b). □ 

Example 4- 10 
Consider a program P: 

p{a) <- 
q <- -.p(x) 

and assume that the underlying language has exactly one function symbol a. (This 
example can be easily generalized for any finite set of function symbols.) Notice 
that comp(P) ^ 3 q and comp(P) ^ 3 ->q. Consider a Herbrand specification spec = 
({p( a )}i {p( a )y which allows q neither to succeed nor to fail. P is correct w.r.t. 
spec but the verification condition of our method (Theorem I4.6J1 is not satisfied. 
The latter is due to {p(a),p'(a), q'}) \f q' —*3x^p(x). 

The condition holds for a weaker specification ({p(a)}, {p(a)}) that corresponds 
to the least fixpoint of $p over one element Herbrand algebra. 

To explain the incompleteness we will refer to the 4-valued immediate conse- 
quence operator <I>p (over a preinterpretation J). A 4-valued interpretation I is a 
pre-fixpoint of $p iff 3>p(J) <k I- For any a, the interpretation (f>p fa is 3- valued 
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and is identical to the corresponding power of the 3- valued immediate consequence 
operator (Stark 1996). 

Conditions (a) and (b) of Theorem 14.61 mean that the 4- valued interpretation 
Ig(spec) corresponding to a specification spec over a preinterpretation J is a pre- 
fixpoint of $p. A program P may be correct w.r.t. a specification spec for which 
Ig(spec) is not preceded by the least fixpoint of $p (in the ordering Then there 
does not exist a specification which satisfies (a) , (b) and is stronger than spec. Hence 
Theorem 14.61 is inapplicable in such a case. In Example 14.91 this happens because 
$p f w is not a fixpoint of $p. In Example 14.101 the program is correct w.r.t. a 
specification, which is stronger than the | 

When the set of function symbols of the underlying language is infinite then 
the strongest Herbrand specification with respect to which P is correct is spec^,, 
where Iglspec^) = <f>pftj. The latter follows from the fact IjKunen 1987|) that 
comp(P) |=3 F iff $p f n ^3 F for some finite n (where F is a query or a negation 
of a query). 

This reasoning can be summarized as: 

Proposition J^.ll 

The correctness proof method of Theorem 14 .61 is complete for an arbitrary program 
P and for any specification weaker than the <fe-least fixpoint of $p. 

When the set of function symbols of the underlying language is infinite then the 
proof method is complete for an arbitrary Herbrand specification spec and any 
program P for which $p \ lo is the <fe-least fixpoint of $p. 

We believe that cases for which the method is not complete are rather artificial 
(like those from the two examples above) and are rare in practice. 

4-3-4 Correctness proving methods — comparison 

In this section we compare the correctness proof method from Section 14.3.11 with 
that for definite programs fSection l3.1|) and with the approach of ( |Pedreschi and Ruggieri 1999| ). 
We show that the latter is (strictly) weaker, as far as declarative properties of pro- 
grams are concerned. 

We first show that the natural method for proving correctness of definite pro- 
grams fProposition l3 . 2|) is a special case of the method for normal programs (Theo- 
rem ■ Let P be a definite program and specS a specification for correctness. 
Take spec = (specS,®). Then condition (a) is equivalent to specS \= P (i.e. 
the verification condition of the natural method), and condition (b) reduces to 
spec= \= ONLY-IF(P), which trivially holds. 

A straightforward way of generalizing to normal programs the natural method 
for proving correctness of definite programs is to replace 2-valued interpretations 
by 4-valued ones, and programs by program completions: 

Proposition 4.12 

Let P be a program, Q a query and / a 4-valued interpretation such that / (=4 
comp(P). 
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1. If comp(P) \= 3 Q then I \= 4 Q- If comp{P) ^3 -<3 then I |= 4 -Q. 

2. P is correct w.r.t. a specification spec such that Ig(spec) = I. 



Proof 



Let F be Q or -.Q. From comp(P) \= 3 F it follows that comp(P) (=4 F (|Stark 1996j) . 
As / |=4 comp(P), we obtain J |=4 F. If Ig(spec) = I then implications 1. arc 
equivalent to the conditions (i), (ii) of Definition 14.51 of program correctness. □ 

The proof method provided by Proposition 14.121 is in fact weaker than that of 
Theorem 14. 61 as Ig(spec) |=4 comp(P) implies conditions (a) and (b) of the Theo- 
rem but not vice versa. This is because Ig(spec) \=4 comp(P) means that Ig(spec) 
is a fixpoint of the 4- valued immediate consequence operator $p IjStark 1 996). 
while conditions (a), (b) mean that it is a pre- fixpoint of <&p. (For details see Sec- 



Pedreschi and Ruggieri lQ33S2t presented an operational method for proving to- 
tal correctness of normal programs. It is an extension of the method for definite 
programs discussed in Section l3~2l The method uses call-success specifications (cf. 
Section l3~2*|) . the difference is that the pre- and postconditions are Herbrand inter- 
pretations. The core of the method is the following definition of a proof relation h t . 
A level mapping is a function from ground atoms to natural numbers. For a level 
mapping | | and an atom A, \A\ will denote the maximum of {\A9\ : Ad is ground} 
or 00 when such maximum does not exist. 

Definition 4-13 \Pedreschi and Ruggieri 1999\ Definition 5.3) 
Let P be a program, and (Pre, Post) a call-success specification, where Pre, Post 
are Herbrand interpretations. We write h t {Pre}P{Post} iff there exists a level 
mapping | | such that: 

(i) for every ground instance A <— L%, . . . , L n of a clause of P: 
1. for i 6 [1, n]: 



(ii) Tp(Post) D Post n Pre. 

If h t {Pre}P{Post} holds and P does not flounder for (ground atomic) queries 
from Pre then P is totally correct w.r.t. (Pre, Post n Pre) in the following sense: 

1. Post n Pre is the set of those atoms from Pre that succeed, 

2. Pre \ Post is the set of those atoms from Pre that fail, 

3. if Pre \= Aq, \Aq\ is finite, and L is Aq or -iAq then the LDNF-tree with the 



tionEHH) 




\A\>\Bi\ if Li = Bi 
\A\>\Bi\ if Li = -iPj 




root L 



(a) is finite, and 

(b) for each selected literal A or -^A in the tree, Pre |= A. 
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Properties 1. and 2. mean that P is correct (in the sense of Definition I4.5|) w.r.t. a 
specification spec for which ("H \ Pre) U (Post l~l Pre) are the ground atoms allowed 
to succeed and (H \ Pre) U (Pre \ Post) are the ground atoms allowed to fail. Simple 
calculation results in spec = ((TL \ Pre) U Post, Pre n Post). 

The following proposition states that whenever the method of ( |Pedreschi and R uggicri ~1999| 
can provide a proof of program correctness (in the sense of Definition 14.5(1 then a 
proof can be obtained by our method. 

Proposition 4-14 

Assume that h t {Pre}P{Post} holds. Then conditions (a) and (b) of Theorem 14. 61 
hold for specification spec = (specS, specC), such that specS = (Tt \ Pre) U Post 
and specC = Pre n Post. Hence P is correct w.r.t. spec. 



Proof 

To prove (a) consider a ground instance H <— B of a clause of P and assume that 
specSUspecC \= B' and Pre \= H . (If Pre \f H then condition (a) trivially holds.) 
Then for each literal L of B we obtain from (i) 1. by induction that Pre \= L if L 
is positive, Pre \= -^L if L is negative, and hence Post \= L (as in the first case 
specS \= L and in the second case specC \= L). Thus Post \= H, by (i)2., and 
specS U specC" \= H . 

To prove (b) it is sufficient to show that for every ground atom A such that 
specC |= A there exists a ground instance of a program clause A <— B such that 
specS U specC \= B" . Let A be a ground atom for which specC \= A (i.e. A G 
Pre n Post). By (ii) A € T P (Post). From the definition of T P it follows that there 
exists a ground instance of a program clause A <— B such that Post \= B. From 
(i) 1. each literal Li of B, where Li = Bi or Li = ~^Bi, satisfies Pre |= Bi. In case 
Li = Bi we have Post \= Li and Pre \= Li, thus specC ^ L,;. In case Li = ->Bi we 
have Post |= Li and Pre \f Li, thus specS \= Li. Hence specS U specC \= L'( for 
every literal Li of B, so specS U specC \= B". □ 

The condition ht {Pre}P{Post} in the Proposition may be weakened: notice that 
no facts concerning the level mapping (from the definition of l- t ) were used in the 
proof. 

We showed that the proof method of ( |Pedreschi and Ruggieri 1999| is weaker 
than that of Theorem 14. 61 as far as the declarative semantics and program correct- 
ness are concerned. It is actually strictly weaker, due to the following limitations. 
The method deals only with total correctness, thus correctness, completeness and 
termination have to be proved together; none of them can be dealt with separately. 
As a result, the method is not applicable to approximate specifications, for which 
a program is correct but not complete (or does not terminate). A specification 
has to be exact for the atoms in Pre, in the sense that it states exactly which of 
them succeed and which fail. Formally, Pre (~l Post is unique for a given program 
and precondition. 12 The method deals with LDNF-resolution and is inapplicable 



Notice that this restriction does not concern the operational method for definite programs 
(Section i that method permits approximate specifications. 
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to programs that flounder or do not terminate under Prolog selection rule (but 
are intended to be executed under some other operational semantics, for instance 
delays or constructive negation). It is also inapplicable when the LDNF-tree is in- 
finite but has success nodes (e.g. when a query has an infinite set of computed 
answers). In all these cases the method of Theorem 14.61 is applicable. Notice also 
that the operational method, in contrast to our approach, requires separate proving 
of non-floundering. 

Obviously, the method of ( |Pedreschi and Ruggieri 1999| ) deals also with proper- 
ties which are out of the scope of our approach, namely termination and the form 
of selected literals in LDNF-resolution. See Section l4~4l for a comparison with the 
method for proving program completeness proposed in this paper. 

4-3.5 A note on proving termination 

This section, in contrast to the rest of the paper, considers a property which is 
not declarative. We show how approximate specifications (which describe declara- 
tive notion of program correctness) can be employed in generalizing a well-known 
method of proving termination. 

Apt and Pedreschi (1993) presented a method of proving termination of normal 
programs with the Prolog selection rule. They introduced a notion of an acceptable 
program (w.r.t. a 2- valued interpretation / and a level mapping). Any acceptable 
program is left terminating, this means it terminates with the Prolog selection rule 
for all ground goals. The interpretation / is a model of the program and a model 
of comp(P~), where P~ is the involved in negation part of the program. 13 It turns 
out that / is unique for all the predicates in P~ ( |Apt and Pedreschi 1993| ). This is 
a disadvantage of the approach; to show that P is left terminating one has to know 
the unique interpretation. 

We show that the unique 2-valued interpretation can be replaced by an approxi- 
mate specification spec w.r.t. which the program is correct. We introduce a notion 
of an approximately acceptable program (a- acceptable in short). We prove that each 
a-acceptable program is acceptable, and thus left terminating. 

Definition 

Let P be a program, | | a level mapping, and spec = {specS, specC) a specification. 
P is called a-acceptable with respect to | | and spec if P is correct w.r.t. spec, 
and for every ground instance A <— L\,...,L n of a clause from P the following 
implication holds for i G [1, n]: 

if specS U specC' \= f\ L' d then | A \ > \ L { \ . 

3=1 

where \->B\ = \B\ for any ground atom B. 

13 To define P~ , first Neg* p is introduced; it is the least set such that any predicate symbol 
occurring in a negative literal of P is in Neg* p , and if p £ Neg* p occurs in the head of a clause 
C of P and q in the body of C then q £ Negp. Program P~ contains those clauses of P that 
use symbols from Negp in their heads. 
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This definition differs from that of an acceptable program in two aspects. Con- 
dition I \= Aj=i Lj has been replaced by specS U specC \= A^=i ^j- Also, P is 
required to be correct w.r.t. spec, instead of / being a model of P U comp(P~), 
where comp is taken w.r.t. the alphabet Neg* p of predicate symbols. 14 

The notion of a-acceptability is a generalization of that of acceptability. If P is 
acceptable w.r.t. | | and an interpretation /, which is a model of comp(P), then P 
is a-acceptable w.r.t. | | and spec = (1,1)- This follows directly from the definitions 
and from the fact that / |= comp(P) implies correctness of P w.r.t. (/, /). 

In a general case, if P is acceptable w.r.t. | | and an interpretation / over a 
preinterpretation J then P is a-acceptable w.r.t. | | and spec — (1,1 \B), where 
B is the set of J'-atoms of the form p(t), where p ^ Neg* p . This follows from the 
definitions and from the fact that / |= PUcomp(P~) implies that P is correct w.r.t. 
(I, I\B). The latter implication follows from a lemma that for any J- literal L and 
any natural number n, if L is true in (the 3-valued interpretation) <I>p f n then L' 
is true in (2- valued) IU (I \ B)' , where <!>p is the 3-valued immediate consequence 
operator over J. We skip details of the proof. 

To show that a-acceptability implies left termination we employ the following 
theorem, analogous to Theorem 6.7 of ( |Apt and Pedreschi 1993| ). In what follows, 
<&p denotes the 3-valued immediate consequence operator. A 3-valued Herbrand 
interpretation is total if any ground atom is either true or false in this interpretation. 

Theorem J^.16 

Assume that the set of function symbols is infinite. Let P be an a-acceptable pro- 
gram w.r.t. | | and spec. Then $p ] lu is total. 

Proof ( outline ) 

The proof is basically the same as that of ( |Apt and Pedreschi 1993| ), however a 
substantial part of the latter proof is made shorter. The part is entitled Subcase 2 
and shows that fp|n ^3 -^L^. , for a literal which is not undefined in $p f n 
and for which / \= (where P is acceptable w.r.t. /). In our case I \= -iL^ is 
replaced by specS U specC \= ~~*L't (where spec — (specS , specC)) and the whole 
Subcase 2 is reduced to the following: an assumption that Lj. is true in <&p]n 
leads (by Kunen theorem QKunen 19871 IDoets 1994|l ) to comp(P) \= 3 Lj, and, by 
correctness of P, to specS U specC |= L't, contradiction. So <I>p f n |=3 ^L^. □ 

Now we can prove the main result. 

Theorem 4.17 

Assume that the set of function symbols is infinite. Let P be an a-acceptable pro- 
gram w.r.t. I I and spec. Then P is acceptable (w.r.t. | | and some interpretation) 
and P is left terminating. 



Thus if comp(P ) contains an axiom ~^p{x) then p £ Neg* p . 
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Proof 

Let spec = (specS, specC) and P be as in the assumptions of the theorem. By 
Theorem 14 . 1 61 $ p j u> is total, thus this is the least fixpoint of $p, hence <frp j u> \=% 
comp(P). Let I be the ground atoms true in <E>p fw, we have I \= comp(P). 

Now to show that P is acceptable w.r.t. / and | |, it is sufficient to show that 
I \= L implies specS U specC \= L' , for any ground literal L. 

Consider a ground literal L such that I \= L. This means $pfa> |=3 L. Thus 
<£>p | rt |=3 L for some n < lu. Hence comp(P) ^3 i, by Kunen theorem IjKunen 19871 
IDoets 1994jl . So specS U specC \= L', by the correctness of P. □ 

Example 1^.18 

To illustrate the method we employ the following program, similar to program 
GAME of ( |Apt and Pedreschi 1993| ). 

win(X) *— move(X, Y), ->win(Y). 
move([l\X], X). 
move([l,l\X],X). 
move([l, I, I, l\X], X). 

It models a two person game, in each move a player removes a certain number of 
tokens, the one who removes the last token wins. 

Let I I be the function on ground terms such that \f(t\, ■ ■ ■ ,t n )\ = if / 7^ [ 
and \[ti\t]\ = \t\ + l. Consider a level mapping \win(t)\ = |i| + l, | move (ti, t 2 )\ = \t\\, 
and a Herbrand specification spec — (sS w U sS m ,$) where 

sS w = { win(t) I £ is a ground term }, 
sS m = {move{t 1 ,t 2 ) \ \h\> \t 2 \ }■ 

The program is obviously correct w.r.t. spec, and it is easy to check that it is 

a-acceptable. Thus it is left terminating. Notice that the analogical proof in ( |Apt and Pedreschi 1993| ) 

requires providing the unique model / of the program completion. This model is 

also needed to apply the method of ( |Pedreschi and Ruggieri 1999| for this program. 

(More precisely, in order to show termination for goals from a precondition Pre, 

one has to know / n Pre; see the discussion of Section E. 3. 41 1 

The proof of ( |Apt and Pedreschi 19 93) considers arbitrary relation move for 
which the corresponding graph is finite and acyclic. Our proof can be easily ad- 
justed to such case, by replacing function | | above by the function / used in 
( |Apt and Pedreschi 1993| ) to define the level mapping in the proof. 15 

Left termination does not imply a-acceptability. But according to Theorem 4.18 
of ( |Apt and Pedreschi 1 993) if P is a left terminating, non-floundering program 
then P is acceptable w.r.t. some level mapping | | and a model I of comp(P). Thus 
P is a-acccptablc w.r.t. | | and specification spec = (1,1). 

In this section we generalized the notion of acceptable program, so that in termi- 
nation proofs one can use approximate specifications instead of unique models. We 

15 As function / is defined only for the nodes of the graph, it should be generalized to arbitrary 
terms. This can be done by assuming f(t) = for any term which is not a node of the graph. 



Correctness and Completeness of Normal Programs 



29 



deal with termination of a program for all ground goals. There is another path of 
generalizing the method of ( |Apt and Pedreschi 1993| ) to programs that terminate 
only for some gr ound goals l|Bossi et al. 19941 |Schreye et al. 19920 . The approach 
of ( |Pedreschi and Ruggieri 1999| ) belongs to this path. It proves left termination for 
the goals satisfying the precondition, however — as discussed in Section 14.3.41 — 
for such goals the specification has to be exact. 

We expect that some improvements of the method of < |Apt and Pedreschi 1 993) 
are also applicable to the method presented here, for instance a weakening of in- 
equalities in case of non-mutually recursive predicates ( |Apt and Pedreschi 1994| 
|Pedreschi and Ruggieri 19"99| ). 



4-4 Completeness of normal programs 

As the operational semantics for normal programs we assume SLDNF-resolution, as 
defined by Apt and Doets (1994). To discuss completeness we need to refer to the 
notion of SLDNF-tree. We outline its definition below, for more details the reader 
is referred to ( |Apt and Doets 1994] ) or IjDoets 1994JI . 

An SLDNF-tree for query Q and program P is a set of trees, with one of them 
distinguished as the main tree. The nodes of the trees are queries and the trees 
are, roughly speaking, SLDNF-trees of ( |Lloyd 1987| ). Q is the root of the main tree. 
Any node with a non-ground negative literal selected is a leaf of a tree, such a node 
is marked floundered. Whenever a ground negative literal ->A is selected in a node 
N then there exists a subsidiary tree with the root A. The whole SLDNF-tree may 
be viewed as a tree of trees, in which the tree with the node N is the parent of the 
subsidiary tree with the root A. 

The leaves of each tree can be marked failed or success, with the expected mean- 
ing. So if a leaf N is neither marked failed nor success then a negative literal —>A 
is selected in N, moreover A is non-ground or the subsidiary tree for A neither 
succeeds nor finitely fails. A tree succeeds if it has a success leaf. A tree finitely fails 
if it is finite and all its leaves are marked failed. 

The SLDNF-tree succeeds (finitely fails) if the main tree does. To each success 
leaf of the main tree there corresponds a computed answer substitution 9 for Q 
(and a computed answer QO), defined as expected. 



4-4-1 Proof method 

In this section we introduce a method for proving program completeness. Then 
we briefly discuss completeness of the method and provide a comparison with an 
operational proof method. 

Definition 4-19 

We say that a program P is complete for a query Q w.r.t. a specification spec = 
{specS, specC) if 

(i) specS U specC \= Q" implies comp(P) \=% Q, 

(ii) specS U specC \= ->Q' implies comp(P) ^=3 -iQ. 
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Program P is complete w.r.t. spec if it is complete for any query Q. 16 

We say that a program P is SLDNF-complete for a query Q w.r.t. a specification 
spec = (specS, specC) if 

(i) specS U specC \= Q"a implies that some SLDNF-tree for Q succeeds with an 
answer Q6 more general than Qa, 

(ii) specS U specC |= ->Q' implies that some SLDNF-tree for Q finitely fails. 

From the soundness of SLDNF-resolution it follows that SLDNF-completeness 
implies completeness. 

For Herbrand specifications completeness implies correctness: 

Proposition 4-20 

If a program P is complete w.r.t. a Herbrand specification spec — (specS, specC) 
then 

1. spec is proper, and 

2. P is correct w.r.t. spec. 

Proof 

1. If spec is not proper then there exists a ground atom A 6 specC \ specS. By 
Definition 14.191 comp(P) \=3 A and comp(P) ^=3 -iA; contradiction. 

2. Assume P is not correct w.r.t. spec. So for some query Q we have comp(P) |=3 Q 
and specSUspecC \£ Q' , or comp(P) (=3 -iQ and specSUspecC \f ->Q" . In the first 
case we have specS U specC \= for some ground Q6> and, by Definition 14. 191 
comp(P) |=3 contradiction. Similarly in the second case, specS U specC |= 

and comp(P) ^3 contradiction. □ 

To show that the proposition does not hold for non- Herbrand specifications, 
consider a preinterpretation J7, the set 5 = { t G | J\ \ t is a value in J" of a ground 
term}, and an element u £ |,7| \ S. Let / = {p(t) \ t e S}. Program {p(X)^} is 
complete w.r.t. (/, /) and w.r.t. (7, 1 u{p(u)}), the latter specification is not proper. 
The program is however not correct w.r.t. any of these specifications. We consider 
completeness w.r.t. non-proper specifications as a rather pathological case. 

The following theorem gives sufficient conditions for program completeness. 

Theorem 4-21 (Completeness, normal programs) 

Assume that the set of function symbols is infinite. Let P be a program, Q a query 
and spec — (specS, specC) a specification such that 

1. P is correct w.r.t. spec, and 

2. there exists an SLDNF-tree for Q such that its main tree is finite and all the 
leaves of the main tree are marked failed or success. 

Then P is SLDNF-complete and complete for Q w.r.t. spec = (specS, specC). 

16 These notions can be expressed in terms of the 4-valued logic by using the fact that spec U 
specC' \= Q" is equivalent to Ig(spec) \=4 Q, and specS U specC' \= —iQ' is equivalent to 
Ig(spec) \=4 -iQ. 
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Condition [21 implies that each —iA selected in the main tree is ground and the 
subsidiary tree for A succeeds or fails. Notice that the SLDNF-tree may be infinite 
or contain floundering nodes. However the "important part" of it is finite and 
without floundering and can be computed under some search strategy in a finite 
number of steps. (When a success is obtained in a subsidiary tree, traversing this 
tree can be abandoned.) Remember that the selection rule in the tree is arbitrary, 
this includes delay mechanisms. If due to delays no literal is selected in a node of 
the main tree then condition|3 is not satisfied. It is a kind of floundering, the node 
is a leaf marked neither failed nor success. 17 

The proof uses the following lemma. 

Lemma 4- -22 

Assume that the set of function symbols is infinite. Let i, t±, . . . ,t n be terms such 
that t is not an instance of any ti . Then there exists an instance of t which is not 
unifiable with any f,-. 

Proof 

Let Vi,...,Vk (k > 0) be the variables of t. Let /i,...,/fc be distinct function 
symbols (of arity > 0) not occurring in t, ti, . . . ,t n and c be a constant. Let itj = 
/j(c, . . . , c), for i = 1, . . . , k, be terms. Consider a substitution 9 = {vi/ui, . . . , Vk/uk} 
Assume that s = t6 is unifiable with some ti. As s is ground, t0 — ti<j for some 
substitution a. Terms u\, . . . , Uk occur (as subterms) in a (since they occur in ijcr). 
Let us replace each occurrence of term Uj in a by the variable Vj, obtaining a' , and 
remove all the pairs of the form Vj/vj from a 1 , obtaining a substitution a". Then 
t = ti<j" ', contradiction with the assumption of the lemma. So s = t6 is not unifiable 
with any ti. □ 

Now we can present a proof of Theorem 14.211 
Proof 

Assume that conditions 1. and 2. hold. Let T be the SLDNF-tree for Q satisfying 2. 

(i) Let specSUspecC |= -iQ'. We show that T finitely fails. Assume that it does not. 
Then T succeeds with some answer Q9. By correctness we have specS U specC \= 
Q'9. Contradiction (with specS U specC ^ ^Q')- 

(ii) Let specS U specC \= Q"a. We want to show that T contains an answer more 
general than Qa. Assume the contrary. Let Q%, . . . , Q n (n > 0) be the answers of 
T, Qa is not an instance of any of them. By Lemma 14.221 there exists Qa9 which 
is not unifiable with any of Qi, . . . , Q n - 

Consider the SLDNF-tree U for Qa9 under the same selection rule 18 as T. The 
nodes of U are instances of corresponding nodes of T. The main tree of U is finite 
and all its leaves are marked failed or success. Any answer of U is an instance of some 
Qi and of Qo9. So no such answer exists and U finitely fails. Hence specSUspecC \= 
^Q"a9. Contradiction. □ 

17 Formally, the tree is not an SLDNF-tree, as a selection rule has to select a literal in every 
non-empty query. 

18 We omit tedious formalization of this notion. 
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We conclude this section by discussing completeness of the method and comparing 
it with the method of ( |Pedreschi and Ruggieri T9 99 ) . 

A program P may be complete w.r.t. a specification without satisfying condition 
2. of Theorem l4.2l1 fe.Ef. a query may succeed but the main tree may be infinite). In 
such cases the method of proving completeness is inapplicable. However the method 
is trivially complete for Herbrand specifications and programs which terminate 
without floundering for the considered queries (formally: satisfy condition 2. of 
the theorem). This is because completeness w.r.t. a Herbrand specification implies 
correctness w.r.t. the same specification (Proposition I4.2t)jl . Hence condition 1. of 
Theorem OT1 holds. 

The operational proof method for total correctness of Pedreschi and Ruggieri 
(1999) was discussed in Section 14.3.41 Total correctness includes completeness. 
From the discussion after Definition 14.131 it follows immediately that the verifi- 
cation condition of that method implies completeness of P (in the sense of Def- 
inition 14.19(1 for ground atomic queries from Pre with respect to specification 
spec = ((7i \ Pre) U Post, Pre D Post). It also implies termination for such queries 
and, by Proposition 14. 14| correctness of P w.r.t. spec. Thus the completeness can 
be shown by our method, as the conditions of Theorem 14.211 hold (for all ground 
atomic queries which are requested by spec to succeed or fail). Remember however 
that our approach requires a separate termination proof. 

This shows that for ground atomic queries the method of this section is stronger 
than that of ( |Pedreschi and Ruggieri 1999| ) (as far as program completeness in the 
sense of Definition 14.191 is concerned). It is also strictly stronger, as it applies to 
programs that loop or flounder under Prolog selection rule, but do not under some 
other one. 19 



4-4-% Example completeness proof 

Let us illustrate our method of proving completeness of normal programs by ap- 
plying it to a program defining the subset relation with an additional requirement 
that a subset must be a list without repetitions. The example is rather lengthy, as 
our intention was to present a detailed proof. 

Example 4-23 

Let P be the following program: 
sufcsQ], L) <— 

subs([H\T], LH) <- select(H, LH, L), subs(T, L), -nmember(H, T) 
select(H, [H\L],L) <- 

select(H, [X\L], [X\LH]) <- select(H, L, LH) 
The definition and specification of member are the same as in Example 14.71 A 



A wider class of queries is dealt with by Theorem 5.10 of jPedreschi an d Ruggi eri 1999} . It 
provides a criterion implying condition (i) of Definition ^, 19l of completeness. Also in this case 
the criterion implies that a completeness proof by our method exists. 
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Hcrbrand specification for P is spec = (specS, specC) , where 

specS = sS m U sS se i U sS subs , specC = sC m U sC se i U sC subs 

{select(e, I, to) \ I is a list — ► eelAmisa list A / « [e|m]} 
{select(e, I, m) \ I and to are lists such that 

I = [ei,...,ei,e,e i+ i,...efe], m= [ei, . . . , e*, e i+ i, . . . e fe ],0 < i < k} 
{subs(l, m) | to is a list — > listd(l) A I C m} 
{sit&s(Z, m) | to is a list A listd(l) A / C to} 

Here Z « to means that lists I and to contain the same elements and listd{l) means 
that / is a list with distinct elements. 

Let spSC = specS U specC. To prove condition (a) for the second clause of 
predicate subs/2, assume that 

spSC \= select(h, Ih, I) A subs(t, I) A -^member' (h, t). (A) 
We show that subs([h\t], Ih) £ sS su bs- So let Ih be a list. From (A) it follows that: 

(1) selectih, lh 7 1) £ sS se i hence h £ Ih and I is a list such that Ih w [ft|Z]; 

(2) subs(t,l) £ sS su bs hence listd(t) and fCl, thus C Z/i, by (1); 

(3) member (h,t) sC m hence /i ^ £ (since i is a list), thus listd([h\t}) , by (2). 
We obtain [h\t] C Z/i and Zisid([/i|i]), this completes the proof of condition (a) for 
the most complex clause of P. 

Let us now prove condition (b) for predicate subs/2. We show that 

spSC U spec= \= subs' (S, M) -> 

S = [] V 3H, T, L (S = [H\T] A select' (H, M, L) A subs' '(T, i) A -^member(H, T)). 

Let s,m be elements of the universe such that spSC |= subs'(s,m), i.e. 
subs(s,m) £ sCsubs- So to is a list, s is a list of distinct elements and s C to. 
The case of s = [] is obvious. Otherwise s — [h\t\. Since h £ s and s C to, 
to = [mi, . . . , m,i-i,h, m i+ i, . . . , to^]. Take [mi, . . . , mj_i, mj+i, . . . , m,k\ as /. Ob- 
viously select(h,m,l) £ sC se i- From listd([h\t]) we have listd(t) and h £" t. Thus 
member(h,t) £ sS m . Also subs(t,l) £ sC su bs, as [/i|i] C to. Thus the right hand 
side of the implication holds. 

The remaining part of the proof of conditions (a), (b) is easier and is skipped 
here. It follows that P is correct w.r.t. spec. 

Consider a query Q = subs(L, M), where L is a variable and M a ground list. 
Once it is shown that for such queries P terminates without floundering (under 
some selection rule and search strategy), it follows that P is complete for such 
queries. This means that for a given set all its subsets will be computed (i.e. all the 
permutations of the corresponding lists). 

Assume that we do not have a termination proof and request all answers to 
a query Q from an interpreter with run-time checks for floundering. Then if the 
execution terminates, we know that all the answers for Q required by the specifica- 
tion have been produced. This happens in the case of our example program P and 
Prolog. □ 



sSsei 
sCgel 

sSsubs 
sC subs 
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4-5 Example 

In this section we illustrate our method of proving correctness and completeness 
of normal programs by a larger example. We have chosen a program calculat- 
ing the transitive closure of a given relation and its toy application to search- 
ing airway connections satisfying given requirements. Transitive closure is used 
as an example in many papers on proving program properties, e.g. ( |Apt 1995) 
IFerrand and Deransart 19931 IMalfon 1994) . 

For our example we choose rather arbitrary approximate specifications. The pur- 
pose is to illustrate how just some of a program's properties can be proven. We 
also show how the method applies in case of extending a program by adding new 
predicates. 

Information about the flights is given by predicate direct/3; 
direct(from, to, flight(time, price)) denotes that there exists a direct flight 
from from to to, time of the flight is equal to time and its cost is price. We assume 
that time and price are natural numbers. 

Let FLIGHTS be the following program: 

good_conn(X , Y , Req) <— connect{X , Y , Dxy), satis fies (Dxy , Req) 

connect (X , Y , Dxy) <— connect(X , Y , Dxy, [X]) 

connect(X, Y, [D], V) <- direct (X , Y,D) 
connect(X, Z, [D\Dyz], V) <- 

direct(X, Y,D), 

->member(Y , V), 

connect(Y,Z,Dyz,[Y\V]) 

% satisfies (ListOfFlightsInfo, Requirements), where 

% Requirements = req(MaxNoOf Transfers, MaxTotalC'ost, MaxFlightTime) 

satisfies (List, req(MaxTr, MaxTotalC'ost, MaxFlightTime)) <— 
analyze(List, NoOf Transfers , TotalCost, MaxFlightTime), 
lesseq(NoOfTransfers, MaxTr), 
lesseq(TotalCost, MaxTotalCost) 

% analyze(ListOfFlightsInfo, Number Of Transfers, Cost, MaxFlightTime) 
analyze{[], 0, MaxFlightTime) <— 

analyze([flight(Time, Price)\List], No Of Transfers, Cost, MaxFlightTime) «— 
lesseq(Time, MaxFlightTime) , 
analyze(List, NoOfTrL, ListCost, MaxFlightTime) , 
add(ListCost, Price, Cost), 
add(NoOfTrL, 1 , NoOf Transfers) 

We omit here the definition of direct/3 and definitions of (built-in) predicates 
lesseq/2 and add/3. The definition of member/2 is the same as in the previous 
examples. 

Predicate direct/3 defines a directed graph: direct(x, y, info) means that there 
is an edge from x to y labelled by info. We assume that there is no loop, i.e. an 
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edge (direct flight) from x to x. Following ploss and Wright "20 03) by a path we 
will understand a non-empty sequence of edges satisfying standard condition: the 
terminal vertex of each edge is the initial vertex of the next. A cycle is a path 
[x\, X2), ■ ■ ■ , (x n , X\), n > 1, such that x\,...,x n are distinct vertices. A graph 
that contains no cycle is called acyclic. A path is acyclic if the graph consisting of 
the vertices and edges of the path is acyclic. 

We begin with proving correctness and completeness of FLIGHTS with respect 
to the specification such that its first part (specS) is constructed from the following 
sets of ground atoms (which may be called predicate specifications). Let G denote 
the labelled graph defined by direct /3, and J\f, Z the sets of natural and integer 
numbers, respectively. 



SpecS 'good 



good_conn 



SpecS connect/ 3 

SpecS 'connect / 4 
SpecS satisfies 



specSa 



iiaryzc 



SpecSdirect 
SpecSlcsseq 

specSadd 

SpecS 'member 



{ good-Conn(x, y, req(k, c, t)) | there exists in G a path 
from x to y such that the total cost of the connection 
does not exceed c, c£ Af} 

{ connect(x, y, d) | there exists in G a path from x to y 
and d is the sequence (list) of its edge labels } 

{connect(x,y,d,v) | connect(x , y , d) € specS CO nnect/z} 

{ satisfies {list, req(maxTrans, maxCost, maxTime)) \ 
list is a list of elements of the form flight(ti,pi) such 
that the total sum of p^s does not exceed maxCost, 
Pi, maxCost SZ} 

{ analyze(list, noTrans, totalCost, maxFlightTime) \ 
list is a list of elements of the form flight(ti,pi), 
such that the total sum of p^s is equal to totalCost, 
Pi, totalCost 6 Z } 

{ direct(x, y, flight{t,p)) \ there exists an edge in G 
(a direct flight) from x to y labelled flight(t,p), 
t,peJ\f} 

{lesseq(X,Y) \x<y, x,y^Z} 
{add(x,y,z) \ x + y — z, x,y,z£Z} 
{ member (x, I) | ( is a list ->i£l} 



Let us notice that specSdirect, specSi esS eq and specS a dd are exact specifications. 
The remaining ones are approximate: they allow cyclic paths and abstract from 
the number of transfers and the flight times, and from the form of the last argu- 
ment of connect / 4; the approximate specification of member is taken from previous 
examples. 

The second part of specification (specC) is constructed from the following sets 
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of ground atoms: 
specCg 00 d 



SpecC ' connec t/ 3 
SpecC 'connect / 4 
as 



specC ( 



analyze 



SpecCdirect 

SpCCCl eSSe q 

specCadd 



{ good-Conn(x, y, req(k, c, t)) | there exists in G an 
acyclic path from x to y denoting a connection such that: 

the number of transfers does not exceed k, 

its total cost does not exceed c, 

the time of each flight does not exceed t, 
k,c,t€ Af} 

{ connect(x, y, d) | there exists in G an acyclic path 
from x to y such that d is the sequence (list) of its 
edge labels } 

{ connect(x, y, d, v) | there exists in G an acyclic path 
from x to y, d is the sequence (list) of its edge labels 
and v is a list containing no internal node of the path } 

{ satisfies (list, req(maxTrans, maxCost, maxTime)) | 
list is a non-empty list of elements of the form flight(ti,Pi), 
the length of list does not exceed maxTrans + 1, 
the total sum of p,'s does not exceed maxCost, 
each U does not exceed maxTime, 
maxTrans, maxCost, maxTime, U,Pi 6 AT} 

{ analyze(list, noTrans, totalCost, maxTime) | 
list is a list of elements of the form flight(ti,pi) such that: 

the length of list is equal to noTrans + 1, 

the total sum of p^s is equal to totalCost, 

each ti does not exceed maxTime, 
noTrans 6 Z, totalCost, maxTime, U,pi e A/"} 



specS, 



direct 



— specSi esS eq 

= specS a dd 

specCmember = { member(x, I) | I is a list Axel} 



Specifications specC CO nnect/3 an d specC 'connect i '4 are approximate, as they include 
only acyclic paths while the program also finds paths being concatenation of an 
acyclic path from x to y with a cycle from y to y (furthermore they require the 
fourth argument of connect to be a list). Specifications specC sa u s fies, specC 'analyze 
and specCmember are also approximate (as some numbers are required to be in Af, 
the last argument of analyze may be not a number, the last argument of member 
not a list, etc.). The remaining specifications above are exact. 

Notice that in the description of specC goo d_conn the expression "an acyclic path" 
may be replaced by "a path", as each path with the described properties can be 
transformed into an acyclic path with these properties by removing the cycles. 
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Consider Hcrbrand specification spec = {specS, specC), where 

SpecS = SpecSdirect 

U SpecS good_conn 

U SpecS 'connect/ 3 U 
SpecS connec t/ 4 U SpecS satisfies U SpecS analyze U 
SpecSlesseq U SpecS a dd U SpecS m ember 

specC = SpecCdtrect U SpecC g 00 d_conn U SpecC 'connect / '3 U 
SpecC 'connect / 4 U SpecC 'satisfies U SpecC 'analyze U 
SpecClcsseq U SpecC a dd U SpecCmcmber 

We would like to prove that FLIGHTS is correct with respect to the above 
specification spec. Thus we have to show that conditions (a) and (b) of Theorem l4.6l 
are satisfied. To prove condition (a) for predicate good-conn we have to show that: 

specS |= good_conn(X, Y, R) <— conneci(JT, Y, D) A satisfies(D, R) 

Let x,y,d,r be ground terms such that specS con nect/3 h= connect(x , y , d) and 
specS satisfies \= satisfies(d, r) . This means that there exists in G a path from a; 
to y and d is the sequence of its edge labels, so d is a non-empty list of elements 
of the form flight(t,p). Moreover r is of the form req(k, c, t) and the sum of all p's 
does not exceed c. Hence specS goo d_conn \= good_conn{x,y,r). 

To prove condition (b) for predicate goodjzonn we have to show that: 

specC \= good_conn(X , Y, R) — > 3Z? (connect(X, Y, D) A satis fies(D, R)) 

For predicates connect/ 3 and connect /4 we have to prove the following implica- 
tions: 

specS \= connect(X, Y, Dxy) <— connect(X, Y, Dxy, [X]) 
specC \= connect(X, Y, Dxy) — > connect(X, Y, Dxy, [X]) 
specS \= connect(X, Y, [D], V) *- direct(X, Y, D) 
specS U specC" |= connect{X, Z, [D\Dyz],V) <- direct(X, Y, D) A 

-^member' (Y,V) A connect(Y, Z, Dyz,[Y\V]) 
specS U specC U spec= |= connect 1 '(X, Z, L, V) -> (3D L = [D] A direct' {X, Z, D)) 

V (3Y 3D 3Dyz L = [D|Dyz] A direct' {X, Y, D) A 

— 'member (Y, V) A connect' (Y, Z, Dyz, [Y\V])) 

Let us prove the last implication. Assume that specC 'connect / '4 |= connect(x, z, I, v). 
It means that (in G) there exists an acyclic path from x to z and Z is the list 
of its edge labels. If Z consists of exactly one edge it must be an edge from x to 
z (labelled d), thus there is a direct flight from x to z. So the following holds: 
Z = [d] and specC \= directix , z , d) . Let Z consists of more than one element. So 
Z = [di, a\, . . . , dk], where k > 1 and di is a label of the i-th edge of the path 
from x to z. The first edge of that path goes from i to a node y, let d be its 
label (d = di) and let dyz = [d 2 , . . . ,dk\- So the following holds: Z = [dldyz] and 
specC |= direct(x,y,d). From specG ccmnect /4 |= connect{x, z,l,v) it also follows 
that i> is a list such that y v, so specS mem ber j= ~>member(y, v). To complete this 
proof we have to show that specC \= connect(y, z, dyz, [y\v]). We already know that 
there exists an acyclic path from y to z (a subpath of the path from i to z), dyz is 
the list of edge labels of that (sub)path and v is a list such that each internal node 
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of the path from x to z is not its element. It remains to show that also y is not 
an internal node of the subpath from y to z, but this follows immediately from the 
assumption on the acyclicity of the entire path from x to y. This ends the proof of 
that implication. 

We leave to the reader the details of proofs of the remaining implications, as 
well as proofs of conditions (a) and (b) for the remaining predicates. It follows that 
FLIGHTS is correct w.r.t. spec. Thus we know that if good-conn(x 1 y,req(k,c,t)) 
is a computed answer then there exists a connection from x to y and its cost 
is not greater than c. Moreover if a query good-Conn(x, y, req(k, c, t)) fails then we 
know that specC ' g0 od-conn \= -^good-Conn(x, y, req(k, c, t)) and there does not exist a 
connection fulfilling the requirements on the number of transfers, cost and maximal 
flight time. 

From Theorem 14.211 (on proving completeness) it follows, for instance, that if a 
query good-conn(x, Y, req(k, c, t)) (where Y is a variable) terminates without floun- 
dering then all places (vertices) y are found such that there exists a connection from 
xtoy satisfying the requirements (i.e. specC goo d_ C onn \= good-Conn(x, y, req(k, c, t))) 

Let us extend FLIGHTS by adding a new predicate bad-conn defined as follows: 

bad_conn(X, Y, Req) <— -^good_conn{X, Y, Req) 

Let specn = (specSn, specCn), where 

specSn = specS U specSbad_conn specCn = specC U specC bad .conn 

specSbad_conn = { bad..conn(x, y,r) | if r = req(k, c, t) and k,c,t £ Af then 
there does not exist in G a path from x to y 
denoting a connection such that: 

the number of transfers does not exceed k, 
its total cost does not exceed c, 
the time of each flight does not exceed t } 
specC'b a d_conn = { badjconn(x , y , r) \ there does not exist in G a path 
from x to y } 

Notice that specSb a d_conn an d specCb a d_conn also contain atoms of the form 
bad_conn(x , y , r) where x or y is not a vertex of the graph. As explained previ- 
ously, in the description of specSbad_conn "a path" may be replaced by "an acyclic 
path" . Specification specSb a d_conn is exact and specCb a d_conn is approximate. 
We have to prove the following new implications concerning predicate badjzonn: 

specS ba d_conn U specC good _conn \= bad_conn(X , Y, R) «- -^good_conn(X, Y, R) 
specC ba d_conn U specS good _conn \= bad_conn(X , Y, R) — > -^good_conn(X, Y, R) 

As before we leave the details of the proofs to the reader. The rest of implica- 
tions remains the same, and hence previous proofs remain valid. Thus the extended 
program is correct w.r.t. the specification specn. 

So if bad-Conn(x, y, r) is a computed answer then there does not exist a connection 
from x to y satisfying r. After having proved that the program terminates and does 
not flounder for ground queries of the form bad-Conn(x, y, r), we will also know that 
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the program is complete for such queries w.r.t. specn. Hence bad-Conn(x , y , r) will 
succeed for any x, y such that there does not exist a connection from x to y. 

To end with, suppose we are interested just in direct connections and choose the 
following (approximate) specification: 

specCn^ad^conn = {badjconn(x , y , req(0, c, t)) | there does not exist in G 
an edge from x to y labelled flight(s,p) such that 
p < c, c,t,p,s G J\f} 

This specification refers to the number of transfers (more precisely, to connec- 
tions without transfers) whereas the specification specS abstracted from this. In 
order to prove correctness of the extended program w.r.t. a specification containing 
specCn goo d_conn instead of specC goo d_conn, we have to strengthen specS (modifying 
specS good _conn, specS satisfies and specSanaiyze) and prove again the corresponding 
conditions. For example a new specification for predicate good_conn/3 could be: 

specSng 00 d_conn = { good.conn(x,y,req(k,c,t)) | there exists in G a path 
from x to y of length not greater than k + 1, the total 
cost of the connection does not exceed c, k, c e M } 

Specifications specS satisfies and specS an aiyze should be strengthened analogously 
(by taking into account the total length of the list and the fact that if the costs in 
the connection list are in Af then the total cost is in J\f) and the proof should be 
accordingly modified. 

Every (logic) programmer should have, at least in her mind, intended meaning 
for all the used predicates. Specification spec = (specS, specC) is a formalization 
of such intended meaning. It is important that in most cases the specification is 
approximate (specS ^ specC); specifying exactly the meaning of the program is 
usually too cumbersome and unnecessary. We believe that the methods advocated 
in this paper are a formalization of informal reasoning performed by a competent 
programmer to convince herself about correctness of a program. 



5 Related work 

In this section we present a brief overview of related work. 

Due to our approach to specifications, we do not need any explicit notion of pre- 
condition, type information, or domain of a procedure. Such notions are used in 
most other approaches (|Bossi and Cocco 1989l|Apt 1997||Pedreschi and Ruggieri 1999| 
IDeville 1990|l in order to deal with "ill-typed" atoms, for which the behaviour of the 
program is of no interest. For similar purposes Naish H2()0()|) introduces a 3-valued 
approach to definite programs. 

An approach related to ours is the annotation method of Deransart l|Deransart 19931 
Section 4; |Boye and Mal uszyhs kH"997[ Section 4) for proving definite program cor- 
rectness. It can be seen as refinement of the natural method of Section l3~Tl where 
one proves more (but smaller) implications than those to be proved in the natural 
method. 

A method for proving completeness of definite programs, similar to ours, was 
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presented in ( |Deransart and Mal uszyfisk i 1993| ). Both approaches are compared in 
Section 1^31 

Comparison with the operational method IjBossi and Cocco 1989l|Xpt 1997||Pedreschi and Ruggieri 1999| ) 
for correctness of definite programs is given in Section I3~2l The operational method 
can be generalized to correctness of normal programs < |Apt 1995|rPedreschi and Ruggieri 1999| ); 
we present a comparison in Section H.3.41 We show that the correctness proving ap- 
proaches presented in this paper are stronger than the corresponding operational 
ones (as far as properties of program answers are concerned); moreover our approach 
for normal programs is strictly stronger. The method of ( |Pedreschi and Ruggieri 1999| ) 
includes proving completeness of normal programs. In Section 14.4.11 we show that 
it is strictly weaker than the method of Theorem l4.21l Also, the methods presented 
in this paper are, in our opinion, simpler than the operational ones. In particu- 
lar, in the approach of ( |Pedreschi and Ruggieri 1999^ one has to prove correctness, 
completeness and termination together. Due to this one cannot use approximate 
specifications. 

The comparisons formally show that it is not necessary to refer to operational 
semantics in reasoning about declarative properties of programs. Naish (1996) 
presents a similar opinion; he advocates a declarative view for a class of program 
properties which are often treated as operational. 

A related early work is IjDeville 1990JI . It presents a method to develop Prolog 
programs. Their correctness and completeness follows from construction. However 
the construction process consists of many stages and is rather complicated. 

Our approach to normal programs considers their 3- valued semantics, in contrast 
to IjDeville 19901 |A"pt 1995||Pedreschi and Rug gieri 1999| ) where 2- valued semantics 
is used. The 3-valued completion semantics more precisely corresponds to the op- 
erational semantics mainly used in practice (negation as finite failure and SLDNF- 
resolution). Introducing 3-valued semantics does not result in any difficulties: our 
proof methods use only the standard 2-valued logic. 

An important approach to proving properties of normal programs was proposed 
by Stark (1997). It deals with normal programs, executed under Prolog selection 
rule. Success, failure and termination are described by an inductive theory, called 
the inductive extension of a program. The theory can be seen as a refinement of the 
notion of program completion. The program's properties of interest are expressed 
as formulae and one has to prove that they are consequences of the theory. This 
is opposite to our approach where properties are expressed as specifications and 
appear to the left of |=, while a program (or a theory similar to program completion) 
appears to the right of |=. 

Some properties, like "for any k there exists I such that P \= p(k, I)" , are express- 
ible in the approach of IjStark 1997J) but cannot be expressed as interpretations in 
our approach. To deal with such properties we need to use specifications which are 
theories, not interpretations; we expect that our approach is also applicable to such 
specifications. 

The approach of ( Star k 19"97j) includes clean termination and is equipped with a 
tool to mechanically verify the proofs. It is however bound to Prolog selection rule. 
The involved induction scheme is rather complicated; the scheme seems difficult 
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to use without computer support. The purpose of our work is different: we are 
interested in the declarative semantics and in basic methods, which can be widely 
understood by programmers and used - possibly in an informal form - in practical 
reasoning about actual programs. 

Ferrand and Deransart (.1993.) presented a method of proving correctness of nor- 
mal programs. (Their terminology is different; what they call "partial complete- 
ness" is, in our terminology, correctness for negative atomic queries.) In contrast to 
our work they deal with the well-founded semantics Ijvan Gelder et al. 1991J1 . Their 
specifications are thus Herbrand interpretations. The validation conditions of their 
method consist of conditions equivalent to those of Theorem 14. 61 and of additional 
requirement involving existence of a certain well-founded ordering of atoms. 

Malfon ( 1994) presented methods of proving program completeness for three 
kinds of semantics, given by the well-founded model, the least fixpoint of $p, and by 
<i>P | u>. (Notice that the latter is not the Kunen semantics considered in this paper.) 
Similarly to the previous case, the proposed sufficient conditions for completeness 
are (equivalent to) the conjunction of our conditions for correctness and a condition 
involving a well-founded ordering. The latter depends on the considered semantics. 



6 Conclusions 

This paper advocates declarative reasoning about logic programs. We show how 
to prove correctness and completeness of definite and normal logic programs in 
a declarative way, independently from any operational semantics. This makes it 
possible to separate reasoning about "logic" from reasoning about "control" . The 
method for proving correctness of definite programs is not new, however its useful- 
ness has not been appreciated. The methods for completeness and for correctness 
of normal programs are a contribution of this work. 

We refer to two specifications; one for correctness and one for completeness. This 
makes it possible to specify the program semantics approximately, thus simplifying 
the specifications and the proofs. In this paper specifications are interpretations, 
but the approach seems applicable to specifications being theories. 

The semantics of normal programs is 3-valued. We do not however explicitly refer 
to 3-valued logic. Instead, a pair of 2-valued specifications plays a role of a 4- valued 
specification for correctness and a 3-valued specification for completeness. Also, we 
use a 2-valued characterization of the 3-valued completion semantics, which may 
be of separate interest. 

Approximate specifications are convenient not only when one deals with pro- 
gram correctness and completeness. We show how approximate specifications can 
be used to generalize and simplify the proof method of ( |Apt and Pedreschi 1993| ) 
for termination of normal programs. 

Some authors suggest referring to operational semantics, in particular to the form 
of call patterns under LD- (LDNF-) resolution, when reasoning about correctness. 
We claim that our approach is simpler. We show formally that whatever can be 
proved using the operational approach, can be proved in the approach advocated 
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here (as far as properties of program answers are concerned). For normal programs 
our approach is strictly stronger, for definite programs the two approaches are 
equivalent. 

The operational methods additionally prove some properties of the operational 
semantics, which are outside of the scope of our approach. Obviously, when such 
properties are of interest, operational methods are indispensable. Their importance 
should not be neglected. But as long as we are interested in properties of computed 
answers (correctness and completeness), and not in some details of computations 
(like call patterns), the declarative approach is sufficient. Termination is an im- 
portant operational property, which in contrast to correctness and completeness 
depends on the selection rule. But even for termination most approaches, like the 
method of ( |Apt and Pedresc hi 1993), do not explicitly refer to call patterns (except 
for the initial query). 

If it were necessary to resort to operational semantics in order to prove basic pro- 
gram properties then logic programming would not deserve to be called a declarative 
programming paradigm. This work shows that this is not the case. 

We believe that the presented proof methods are simple and natural. We claim 
that they are a formalization of a style of thinking in which a competent logic 
programmer reasons (or should reason) about her programs. We believe that these 
methods, possibly treated informally, are a valuable tool for actual everyday rea- 
soning about real programs. We believe that they should be used in teaching logic 
programming. 
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